WIXLIB

CCNP Security: SecuringNetworks with ASA VPNsRob SettleSecurity Specialist, CCIE #23633 (Security, Routing and Switching)BRKCRT-1160BRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public1

Rejoice, Security Folks VPNs are enablers!BRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public2

Rejoice VPNs are enablers! Firewalls IPS Web Proxy Mail Relays 802.1xUserBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public3

Rejoice VPNs are enablers! Firewalls IPS Web Proxy Mail Relays 802.1x Site-to-Site VPN Remote Access VPNBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco PublicUser4

Agenda Overview of CCNP Security VPN v1.0 Exam VPN v1.0 TopicsASA VPN Architecture and FundamentalsIPSec FundamentalsIPSec Site to SiteIPSec Remote AccessAnyConnect SSL VPNClientless SSL VPNAdvanced VPN Concepts Q&ABRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public5

Overview of the CCNP SecurityBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public6

Disclaimer / Warning This session will strictly adhere to Cisco‘s rules of confidentiality We may not be able to address specific questions If you have taken the exam please refrain from asking questions fromthe exam—this is a protection from disqualification We will be available after the session to direct you to resources toassist with specific questions or to provide clarificationBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public7

CCNP Security Certified Means All four CCNP Security exams required. No elective options. Some legacy CCSP exams qualify for CCNP Security credit. 10424Exam NoExam Name642-637Securing Networks with Cisco Routers and Switches (SECURE)642-627Implementing Cisco Intrusion Prevention System (IPS)642-617Deploying Cisco ASA Firewall Solutions (FIREWALL)642-647Deploying Cisco ASA VPN Solutions (VPN)BRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public8

642-647 VPN v1.0 Exam Approximately 90 minute exam 60-70 questions Register with Pearson Vuehttp://www.vue.com/cisco Exam cost is 150.00 USBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public9

Preparing for the VPN v1.0 Exam Recommended readingCCNP Security VPN 642-647 Official Cert Guide (July 2011)CCSP books in the interimCisco ASA 8.2 Configuration Guide Recommended training via Cisco Learning PartnersDeploying Cisco ASA VPN Solutions Cisco learning networkwww.cisco.com/go/learnnetspace Practical experienceReal equipmentASDM in demo modeBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public10

Session Notes Session and exam are based on ASA 8.2 and ASDM 6.2 softwareeven though 8.3 and 8.4 are available on Cisco.com This session covers most topics but cannot depth of each topic Proper study and preparation is essential Spend time with the ASA Security Device Manager (ASDM) demoBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public12

Command Line Quiz!BRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public13

Cisco ASA Architectureand VPN FundamentalsBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public14

ASA Architecture ASA VPN Overview ASA Design Considerations AAA and PKI Refreshers VPN Configuration BasicsBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public15

Virtual Private Networks (VPNs) Virtual Private Networks (VPNs) are a way to establish privateconnections over another network VPN CapabilitiesConfidentialityPrevent others from reading data trafficIntegrityEnsure data traffic has not been modifiedAuthenticationProve identity of remote peer and packetsAnti-replayPrevent replay of encrypted trafficWANBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public16

ASA Virtual Private Networks (VPNs) Site-to-Site VPNConnects two separate networks using two VPN gateway devices such as an ASAUtilizes IPsec Remote Access VPNConnects single user to a remote network via gateway such as an ASAUtilizes IPsec or Secure Sockets Layer (SSL)Branch AHQInternetBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco PublicBranch B17

Remote-Access VPNHome OfficeISPCorporateOfficeComputer Kiosk Client-based VPNRemote access using an installed VPN client (VPN Client or AnyConnect)Permits ―full tunnel‖ access Clientless VPNRemote access through a web browser that leverages the browser‘s SSL encryptionfor protectionPermits limited access but no footprint requiredBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public18

Choosing Remote Access VPN Method IPsec VPNTraditional IPsec accessCisco VPN ClientHome OfficeCorporateNetworkComputer Kiosk AnyConnect SSL VPNRecommended next generation remote access – Windows 7 supportedSSL VPN basedFull tunnel capabilities similar to IPsec VPNCisco Secure Desktop Clientless SSL VPN (WebVPN)Recommended for thin, flexible access from any computerWeb browser based using SSL encryption – no software requiredPermits network access via HTTP/S, plug-ins, and port forwardingCisco Secure DesktopBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public19

Remote Access VPN Licensing IPsec VPNs require no license AnyConnect Essentials licensePlatform license enabling max number of SSL VPN sessionsPermits use of AnyConnect full tunnels – not Cisco Secure Desktop (CSD) or Clientless SSL VPN AnyConnect Premium licenseUser count based and limited to platform session maxEnables all AnyConnect features including full tunnel, CSD, and Clientless AnyConnect Mobile license (requires Essentials or Premium)Enables iPhone and Windows Mobile clients Advanced Endpoint Assessment (requires Premium)Enables host remediation with Cisco Secure Desktop AnyConnect Shared licenseEnables SSL VPN Premium license pooling amongst multiple ASAs AnyConnect Flex licenseEnables 60-day SSL VPN Premium licenses for business continuity planning /license/license82.htmlBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public22

ASA License Keys Two types – Permanent and Temporary Three rules to remember1. Only one of each type can be active at a time2. Higher value from either license is used – NOT combined or additive3. Loading a Permanent Key overwrites existing TemporaryRe-enter the Temporary Key to activate temporary license features again ExamplesBase license 25 SSLVPN (P) 10 SSLVPN (P) 10 SSLVPN (P)Base license 10 SSLVPN (P) 25 SSLVPN (T) 25 SSLVPN (T)Base license 25 SSLVPN (T) 10 SSLVPN (P) 10 SSLVPN a82/license/license82.htmlBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public23

VPN ConfigurationBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public24

VPN Configuration ComponentsIPSecSSL VPNUsersGroupPoliciesWeb VPNConnection ProfilesBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public25

VPN Configuration Components User: Individual that will be instantiating the VPN Group Policy: Settings for a group of users Connection Profile: Defines a VPN service /configuration/guide/vpngrp.htmlgroup-policy VPN POLICY internalgroup-policy VPN POLICY attributesdns-server value 192.168.1.10vpn-filter value VPN IN ACL.tunnel-group VPN GROUP type remote-accesstunnel-group VPN GROUP general-attributesaddress-pool VPN POOLauthentication-server-group (inside) ACS.BRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public26

VPN Group Policy Internal (ASA) or External (RADIUS) Sample of various settings:WINS, DNS, DHCP, web proxy settingsVPN access hours, idle timeout, network filter, permitted VPN protocolsSplit tunneling Default Group Policy is called DfltGrpPolicy. Can be modified butNOT deleted. Settings are inherited:User Connection Profile‘s Group Policy Default Group PolicyBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public27

External Group Policy Stored on a RADIUS server as a special user account RADIUS user includes Vendor-Specific Attributes (VSAs) for GroupPolicy settings Group Policy configuration includes the RADIUS username andpasswordgroup-policy VPN external server-group ACS password s3cr3tBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public28

VPN Group PolicyBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public29

VPN Connection Profile Formerly called Tunnel Group. Command line still uses tunnel-groupterminology. Core VPN Service AttributesVPN Type (IPsec Site-to-Site, IPsec Remote Access, SSL VPN, Clientless)Authentication, authorization, and accounting serversDefault group policyClient address assignment methodVPN type specific attributes for IPsec and SSL VPN Default Connection Profiles. They can be modified but NOT deleted.DefaultRAGroup – Remote Access connectionsDefaultWEBVPNGroup – Clientless SSL VPN connectionsDefaultL2LGroup – IPsec site-to-site connections Settings are inheritedBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public30

VPN Connection ProfileBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public31

AAA and PKI RefreshersBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public32

AAA Refresher Authentication, Authorization, and Accounting (AAA)Authentication: Proving the identity of the userAuthorization: Controlling the permissions of the userAccounting: Logging the actions of the user AAA servers are used to perform one or more of the AAA functionsSupported AAA servers include RADIUS, TACACS , RSA/SDI, NT, Kerberos, LDAP,HTTP Forms, and LOCAL databaseServer example – Cisco ACS for RADIUS or TACACS aaaaaaaaaaaaaaaauthentication http console ACS LOCALauthentication ssh console LOCALauthorization exec LOCALaccounting enable console ACSaccounting ssh console ACSBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public33

PKI Refresher Public Key Infrastructure uses Digital Certificates and public keycryptography Encryption with the public key is decrypted with the private key and viceversa Each device has a public key, private key, and certificate signed by theCertificate Authority Pre-Shared Key (PSK) deployments do not scale (symmetric keys)BRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public34

ASA PKI SCEP Configurationdomain-name birdland.local! ---- Create keyscrypto key generate rsa general-keys modulus 2048! ---- Configure Certificate Authority and SCEP URLcrypto ca trustpoint PKI CAenrollment url http://ca server:80/certsrv/mscep/mscep.dll! ---- Retrieve CA certificatecrypto ca authenticate PKI CA! ---- Submit certificate request to CAcrypto ca enroll PKI CASimple Certificate Enrollment ProtocolASABRKCRT-1160CA 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public35

PKI Refresher Validation stepsCheck validity of the certificate based on date/time and certificate attributesCheck the certificate using the stored Certificate Authority certificate(optional) Check the Certificate Revocation List (CRL) orOnline Certificate Status Protocol (OCSP)to ensure certificate is not revoked Enrollment optionsManually enroll ASA and endpoints by creating certificates and loading themASA can also utilize SCEP to enroll directly with the CAVPN Clients can enrollment online with the ASA using Simple Certificate EnrollmentProtocol (SCEP) proxy ASA Certificate asa82/configuration/guide/cert cfg.htmlBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public36

Section Quiz - Alphabet Soup! Expand these Acronyms!ASASSLPSKPKIAAAVPNBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public39

IPSec FundamentalsBRKCRT-1160 2011 Cisco and/or its affiliates. All rights reserved.Cisco Public40