Home > Store

SSL Remote Access VPNs (Network Security)

Register your product to gain access to bonus material or receive a coupon.

SSL Remote Access VPNs (Network Security)


  • Sorry, this book is no longer in print.
Not for Sale

eBook (Watermarked)

  • Your Price: $35.19
  • List Price: $43.99
  • Includes EPUB, MOBI, and PDF
  • About eBook Formats
  • This eBook includes the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    MOBI MOBI The eBook format compatible with the Amazon Kindle and Amazon Kindle applications.

    Adobe Reader PDF The popular standard, used most often with the free Adobe® Reader® software.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.


  • Copyright 2007
  • Dimensions: 7-3/8" x 9-1/8"
  • Pages: 376
  • Edition: 1st
  • Book
  • ISBN-10: 1-58705-242-3
  • ISBN-13: 978-1-58705-242-2

SSL Remote Access VPNs

An introduction to designing and configuring SSL virtual private networks

Jazib Frahim, CCIE® No. 5459

Qiang Huang, CCIE No. 4937

Cisco® SSL VPN solutions (formerly known as Cisco WebVPN solutions) give you a flexible and secure way to extend networking resources to virtually any remote user with access to the Internet and a web browser. Remote access based on SSL VPN delivers secure access to network resources by establishing an encrypted tunnel across the Internet using a broadband (cable or DSL) or ISP dialup connection.

SSL Remote Access VPNs provides you with a basic working knowledge of SSL virtual private networks on Cisco SSL VPN-capable devices. Design guidance is provided to assist you in implementing SSL VPN in existing network infrastructures. This includes examining existing hardware and software to determine whether they are SSL VPN capable, providing design recommendations, and guiding you on setting up the Cisco SSL VPN devices. Common deployment scenarios are covered to assist you in deploying an SSL VPN in your network.

SSL Remote Access VPNs gives you everything you need to know to understand, design, install, configure, and troubleshoot all the components that make up an effective, secure SSL VPN solution.

Jazib Frahim, CCIE® No. 5459, is currently working as a technical leader in the Worldwide Security Services Practice of the Cisco Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks, with a focus on network security. He holds two CCIEs, one in routing and switching and the other in security.

Qiang Huang, CCIE No. 4937, is a product manager in the Cisco Campus Switch System Technology Group, focusing on driving the security and intelligent services roadmap for market-leading modular Ethernet switching platforms. During his time at Cisco, Qiang has played an important role in a number of technology groups, including the Cisco TAC security and VPN team, where he was responsible for trouble-shooting complicated customer deployments in security and VPN solutions. Qiang has extensive knowledge of security and VPN technologies and experience in real-life customer deployments. Qiang holds CCIE certifications in routing and switching, security, and

ISP Dial.

  • Understand remote access VPN technologies, such as Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPsec), Layer 2 Forwarding (L2F), Layer 2 Tunneling (L2TP) over IPsec, and SSL VPN
  • Learn about the building blocks of SSL VPN, including cryptographic algorithms and SSL and Transport Layer Security (TLS)
  • Evaluate common design best practices for planning and designing an SSL VPN solution
  • Gain insight into SSL VPN functionality on Cisco Adaptive Security Appliance (ASA) and Cisco IOS® routers
  • Install and configure SSL VPNs on Cisco ASA and Cisco IOS routers
  • Manage your SSL VPN deployment using Cisco Security Manager

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Category: Networking: Security

Covers: SSL VPNs

Sample Content

Online Sample Chapter

SSL VPN Design Considerations

Sample Pages

Download the sample pages

Table of Contents


Chapter 1: Introduction to Remote Access VPN Technologies

Remote Access Technologies 5

IPsec 5

    Software-Based VPN Clients 7

    Hardware-Based VPN Clients 7


L2TP 9

L2TP over IPsec 11


Summary 14

Chapter 2: SSL VPN Technology

Cryptographic Building Blocks of SSL VPNs 17

    Hashing and Message Integrity Authentication 17

        Hashing 18

        Message Authentication Code 18

    Encryption 20

        RC4 21

        DES and 3DES 22

        AES 22

        Diffie-Hellman 23

        RSA and DSA 24

    Digital Signatures and Digital Certification 24

        Digital Signatures 24

        Public Key Infrastructure, Digital Certificates, and Certification 25

SSL and TLS 30

    SSL and TLS History 30

    SSL Protocols Overview 31

        OSI Layer Placement and TCP/IP Protocol Support 31

        SSL Record Protocol and Handshake Protocols 33

        SSL Connection Setup 34

        Application Data 42

        Case Study: SSL Connection Setup 43

    DTLS 48


    Reverse Proxy Technology 50

        URL Mangling 52

        Content Rewriting 53

    Port-Forwarding Technology 55

    Terminal Services 58

    SSL VPN Tunnel Client 58

Summary 59

References 60

Chapter 3: SSL VPN Design Considerations

Not All Resource Access Methods Are Equal 63

User Authentication and Access Privilege Management 65

    User Authentication 66

    Choice of Authentication Servers 66

    AAA Server Scalability and High Availability 67

        AAA Server Scalability 67

        AAA Server High Availability and Resiliency 68

        Resource Access Privilege Management 68

Security Considerations 70

    Security Threats 71

        Lack of Security on Unmanaged Computers 71

        Data Theft 71

        Man-in-the-Middle Attacks 72

        Web Application Attack 73

        Spread of Viruses, Worms, and Trojans from Remote Computers to the Internal Network 73

        Split Tunneling 73

        Password Attacks 74

    Security Risk Mitigation 74

Strong User Authentication and Password Policy 75

        Choose Strong Cryptographic Algorithms 75

        Session Timeout and Persistent Sessions 75

        Endpoint Security Posture Assessment and Validation 75

        VPN Session Data Protection 76

        Techniques to Prevent Data Theft 76

        Web Application Firewalls, Intrusion Prevention Systems, and Antivirus and Network Admission Control Technologies 77

Device Placement 78

Platform Options 79

Virtualization 79

High Availability 80

Performance and Scalability 81

Summary 82

References 82

Chapter 4: Cisco SSL VPN Family of Products

Overview of Cisco SSL VPN Product Portfolio 85

Cisco ASA 5500 Series 87

    SSL VPN History on Cisco ASA 87

    SSL VPN Specifications on Cisco ASA 88

    SSL VPN Licenses on Cisco ASA 89

Cisco IOS Routers 90

    SSL VPN History on Cisco IOS Routers 90

    SSL VPN Licenses on Cisco IOS Routers 90

Summary 91

Chapter 5: SSL VPNs on Cisco ASA

SSL VPN Design Considerations 93

SSL VPN Prerequisites 95

    SSL VPN Licenses 95

    Client Operating System and Browser and Software Requirements 96

    Infrastructure Requirements 97

Pre-SSL VPN Configuration Guide 97

    Enrolling Digital Certificates (Recommended) 98

        Step 1: Configuring a Trustpoint 98

        Step 2: Obtaining a CA Certificate 99

        Step 3: Obtaining an Identity Certificate 100

    Setting Up ASDM 101

        Uploading ASDM 102

        Setting Up the Appliance 103

    Accessing ASDM 104

    Setting Up Tunnel and Group Policies 106

        Configuring Group-Policies 107

        Configuring a Tunnel Group 110

    Setting Up User Authentication 110

Clientless SSL VPN Configuration Guide 114

    Enabling Clientless SSL VPN on an Interface 116

    Configuring SSL VPN Portal Customization 117

        Logon Page 118

        Portal Page 123

        Logout Page 125

        Portal Customization and User Group 126

        Full Customization 129

    Configuring Bookmarks 134

        Configuring Websites 135

        Configuring File Servers 137

        Applying a Bookmark List to a Group Policy 139

        Single Sign-On 140

    Configuring Web-Type ACLs 141

    Configuring Application Access 144

        Configuring Port Forwarding 144

        Configuring Smart Tunnels 147

    Configuring Client-Server Plug-Ins 150

AnyConnect VPN Client Configuration Guide 152

    Loading the SVC Package 154

    Defining AnyConnect VPN Client Attributes 155

        Enabling AnyConnect VPN Client Functionality 155

        Defining a Pool of Addresses 156

        Configuring Traffic Filters 159

        Configuring a Tunnel Group 159

    Advanced Full Tunnel Features 159

        Split Tunneling 159

        DNS and WINS Assignment 161

        Keeping the SSL VPN Client Installed 162

        Configuring DTLS 163

Cisco Secure Desktop 164

    CSD Components 165

        Secure Desktop Manager 165

        Secure Desktop 165

        Cache Cleaner 166

    CSD Requirements 166

        Supported Operating Systems 166

        User Privileges 167

        Supported Internet Browsers 167

        Internet Browser Settings 167

    CSD Architecture 168

    Configuring CSD 169

        Loading the CSD Package 169

        Defining Prelogin Sequences 170

Host Scan 182

    Host Scan Modules 183

        Basic Host Scan 183

        Endpoint Assessment 183

        Advanced Endpoint Assessment 184

    Configuring Host Scan 184

        Setting Up Basic Host Scan 184

        Enabling Endpoint Host Scan 186

        Setting Up an Advanced Endpoint Host Scan 187

Dynamic Access Policies 189

    DAP Architecture 190

        DAP Records 191

        DAP Selection Rules 191

        DAP Configuration File 191

    DAP Sequence of Events 191

    Configuring DAP 192

        Selecting a AAA Attribute 193

        Selecting Endpoint Attributes 195

        Defining Access Policies 197

Deployment Scenarios 205

    AnyConnect Client with CSD and External Authentication 206

        Step 1: Set Up CSD 207

        Step 2: Set Up RADIUS for Authentication 207

        Step 3: Configure AnyConnect SSL VPN 208

    Clientless Connections with DAP 209

        Step 1: Define Clientless Connections 210

        Step 2: Configuring DAP 211

Monitoring and Troubleshooting SSL VPN 212

    Monitoring SSL VPN 212

    Troubleshooting SSL VPN 215

        Troubleshooting SSL Negotiations 215

        Troubleshooting AnyConnect Client Issues 215

        Troubleshooting Clientless Issues 217

        Troubleshooting CSD 219

        Troubleshooting DAP 219

Summary 220

Chapter 6: SSL VPNs on Cisco IOS Routers

SSL VPN Design Considerations 223

IOS SSL VPN Prerequisites 225

IOS SSL VPN Configuration Guide 226

    Configuring Pre-SSL VPN Setup 226

        Setting Up User Authentication 226

        Enrolling Digital Certificates (Recommended) 229

        Loading SDM (Recommended) 232

    Initial SSL VPN Configuration 235

        Step 1: Setting Up an SSL VPN Gateway 237

        Step 2: Setting Up an SSL VPN Context 239

        Step 3: Configuring SSL VPN Look and Feel 241

        Step 4: Configuring SSL VPN Group Policies 245

Advanced SSL VPN Features 247

    Configuring Clientless SSL VPNs 247

    Windows File Sharing 253

    Configuring Application ACL 257

    Thin Client SSL VPNs 259

        Step 1: Defining Port-Forwarding Lists 261

        Step 2: Mapping Port-Forwarding Lists to a Group Policy 262

    AnyConnect SSL VPN Client 264

        Step 1: Loading the AnyConnect Package 264

        Step 2: Defining AnyConnect VPN Client Attributes 266

Cisco Secure Desktop 276

    CSD Components 277

        Secure Desktop Manager 277

        Secure Desktop 277

        Cache Cleaner 278

    CSD Requirements 278

        Supported Operating Systems 278

        User Privileges 279

        Supported Internet Browsers 279

        Internet Browser Settings 279

    CSD Architecture 280

    Configuring CSD 281

        Step 1: Loading the CSD Package 282

        Step 2: Launching the CSD Package 283

        Step 3: Defining Policies for Windows-Based Clients 283

        Defining Policies for Windows CE 298

        Defining Policies for the Mac and Linux Cache Cleaner 298

Deployment Scenarios 301

    Clientless Connections with CSD 301

        Step 1: User Authentication and DNS 302

        Step 2: Set Up CSD 303

        Step 3: Define Clientless Connections 303

    AnyConnect Client and External Authentication 304

        Step 1: Set Up RADIUS for Authentication 305

        Step 2: Install the AnyConnect SSL VPN 306

        Step 3: Configure AnyConnect SSL VPN Properties 306

Monitoring an SSL VPN in Cisco IOS 307

Summary 311

Chapter 7: Management of SSL VPNs

Multidevice Policy Provisioning 314

    Device View and Policy View 314

        Device View 314

        Policy View 318

    Use of Common Objects for Multidevice Management 320

Workflow Control and Role-Based Access Control 322

    Workflow Control 323

    Workflow Mode 324

    Role-Based Administration 326

        Native Mode 326

        Cisco Secure ACS Integration Mode 327

Summary 331

References 331

1587052423   TOC   5/13/2008


Submit Errata

More Information

Unlimited one-month access with your purchase
Free Safari Membership