remote access using clientless vpnd2zmdbbm9feqrf.cloudfront.net/2013/eur/pdf/brksec-2697.pdf ·...

© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public

Remote Access using Clientless VPN Thorsten Rosendahl

[email protected]

BRKSEC-2097


Agenda

3

Integrate Enable IT Add real Users


• Will cover

‒ ASA as the Headend

‒ Clientless Access

….with focus on 9.0 Release

• Won’t cover

‒ IOS headends

‒ The AnyConnect Client (BRKSEC-

3033)

‒ Cisco Secure Desktop

4

This Breakout

The embedded videos are available at http://ciscosales.webex.com/meet/trosenda


Cisco Secure Desktop

The following features are deprecated (November 20, 2012) :

‒ Secure Desktop (Vault)

‒ Cache Cleaner

‒ Keystroke Logger Detection (KSL)

‒ Host Emulation Detection

5

http://www.cisco.com/en/US/docs/security/csd/csd36/public_notices/vault_cc_ksl_host_emulation_deprecat_notice.html


Hardware

• Every ASA can handle Clientless SSL VPN

• A 5505 can handle up to 25 Sessions

• A5585 can handle up to 10.000 Sessions

• As rewriting of Content occurs, CPU is more important than throughput

Overview

6


Software

We need a DES (K8) and/or 3DES (K9) License

We need an “AnyConnect Premium” License, as this enables Clientless (default 2 per chassis)

Premium and Essentials can *not* run concurrently

Licensing

7


Client(less) Requirements

8

Firefox Chrome IE Safari

Windows XP 3 + 6 + 6/7/8

Windows Vista 3 + 6 + 7/8/9

Windows 7 3 + 6 + 8/9

Windows 8 tbd tbd tbd tbd

MacOS X 3 + 6 + 3/4/5

Linux 3 +

http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html

Plugins ActiveX (32bit) / Java 1.4-1.7

Smart Tunnels x86/64 only, no itanium or ppc

Port Forwarding 32 bit only

Windows XP ✓ ✓ ✓

Windows Vista ✓ ✓ ✓

Windows 7 ✓ ✓ -

Windows 8 tbd tbd tbd

MacOS X ✓ ✓ ✓

Fedora Core 4 - - ✓


Overview

9

ASA

https http[s]

ftp/cifs

Smarttunnels : TCP Portforwarding : TCP Plugins : ssh, telnet, rdp, vnc, citrix


Secure Sockets Layer (SSL) Overview

• A “Secure Protocol” developed by Netscape for secure e-commerce.

• SSL2.0 released in 1994, but had flaws and was replaced by SSL 3.0. Transport Layer Security (TLS) was published 1999 and continued to evolve.

• Creates a tunnel between web browser and web server

Authenticated and encrypted (RC4, 3DES, DES, AES)

• https://

Usually over port :TCP/443

Closed lock indicates SSL-enabled!

Refer to RFC 2246, for TLS 1.0 Refer to RFC 4346, 2006 for TLS 1.1 Refer to RFC 5246, 2008 for TLS 1.2


SSL on ASA

ssl-lab# show crypto ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: aes256-sha1 aes128-sha1 3des-sha1

Disabled ciphers: des-sha1 rc4-md5 rc4-sha1 null-sha1

SSL trust-points:

outside interface: ASDM_TrustPoint0

Certificate authentication is not enabled

ssl-lab#

Parameters that identify the protocol, encryption algorithm and hash

function.


Overview

12

ASA

https http[s]


Content Transformation Engine

Rewrites HTML[5], Java, JavaScript, Flash, SVG, CSS

13

ASA

*GET /intranetsite/index.html HTTP/1.0 *GET /index.html HTTP/1.0

*<a href=”/about.html”>About</a> *<a href=”/intranetsite/about.html”>About</a>

* Very Simplified statement

10.1.1.66


Content Transformation Engine

Server Certificate Validation (ASA v9.0) – new commands

14

ssl-lab(config-webvpn)# ssl-server-check ?

webvpn mode commands/options:

deny-on-failure Disconnect the connection and show the denying page to end users on failure of verification

warn-on-failure Show the warning page to end users on failure of verification

ssl-lab(config)# crypto ca trustpool ?

configure mode commands/options:

policy Define trustpool policy

exec mode commands/options:

export Export a trustpool bundle

import Import a trustpool bundle

remove Remove a trustpool certificate

ssl-lab(config)#


Overview

15

ASA

https http[s]

ftp/cifs


Files Access

16

ASA

GET /+CSCOE+/files/browse.html?code=init&path=cifs%3A%2F%2F31302E312E312E3636%2FC%24 HTTP/1.1 %3A%2F%2F31302E312E312E3636


Overview

17

ASA

https http[s]

ftp/cifs

Smarttunnels : TCP Portforwarding : TCP Plugins : ssh, telnet, rdp, vnc, citrix


Overview

18

ASA


Overview

19

ASA

GET /+CSCOE+/tunnel_mac.jnlp?….HTTP/1.1 GET /+CSCOE+/relayocx.html?p=w32 HTTP/1.1

<<<<<<<<<<<<<<<java/active-x<<<<<<<<<<<<<

TCP/22,TCP/3389,etc %3A%2F%2F31302E312E312E3636


Plugins

• “In Browser Access” to rdp, ssh, vnc, citrix ressources

• No Need for an Application on the Client, just java/active-x

• Supported on Windows and Mac OS X platforms only.

20


Smart Tunnels

• For Web Applications/Bookmarks if CTE fails (shouldn’t happen)

• For Non-Web-Applications, TCP only like :

Telnet, Passive FTP, SSH, RDP, VNC, VMWare View (rdp, not PCoIP)

but Application has to reside on Endpoint.

• Supported on Windows and Mac OS X platforms only.

• Supported on x86 and x64 architectures only

• Requires Active X or Java enabled browsers.

• Better Performance than Plugins

Use Cases

21


Port Forwarding

• “Legacy” method, kept for compatibility

• Application on end System needs to be reconfigured

• Smart tunnels offer better Performance

• Smart tunnels do not need Admin privileges

22

First Time Setup

23


CLI Config

Overview

26

webvpn

enable outside

group-policy it internal

group-policy it attributes

vpn-tunnel-protocol ssl-clientless

webvpn

url-list none

exit

exit

tunnel-group it type remote-access

tunnel-group it general-attributes

default-group-policy it

tunnel-group it webvpn-attributes

group-alias it enable

group-url https://10.1.30.254/it enable

• Group Policies What can be done during a session ACL, Times, Portal, Customization,…

• Connection Profiles

What is needed to establish a session AAA, Username Mapping, Alias, url,… …and map that back to a group

Connection Profile / tunnel-group

27


DNS lookup for the Clients

Group Policy

Primary Authentication


If (Client) Certificates are

used for authentication.


Secondary (double) authentication

With secondary authentication enabled, the User *must* present two sets of credentials


Authorization

The authorization Server takes precedence over “Secondary Authentication Server -> Attribute Server”


How Clients connect

Alias which appears in

drop down list

Direct URL

(like apache vhosts)

Group Policies

33


Let’s rollout to some users

34

Assign an ACL

Inherit from DfltGrpPolicy


WEB ACL

35

Allow to filter on URLs with wildcard support (smart-tunnel is URL as well) Allow to filter on IP Address and Service


Portal Policy

36

Freedom vs. Workload ?

Assign a bookmark list*

* Dedicated (next) Chapter


Smart Tunnels

37

Include

Exclude

All

Define a list of

Application(s)


Smart Tunnel Entry

38

Windows / Mac

Full Path for Mac

Name of Process

(Parent)


Group Policy – More Options - Customization

39

Apply Customization

(This is Portal Only)


Single Sign-on

• Auto Sign-On

• External SSO Servers

• Kerberos Constrained Delegation (Global)

3 Methods Available

40


Auto Sign-On

• Submits static Clientless SSL Login credentials to

‒ Web Servers, ftp/cifs shares, Webapps with smart tunnels, plugins

• Supports

‒ Basic, NTLMv1, FTP or CIFS authentication, HTTP Form*

• Can use double authentication when users are authenticated by OTP or

Certificates

41


External SSO Servers

• SAML 1.1 (Browser) Post Profile (push,!=pull)

‒ ASA plays role of asserting party (sends assertions), SAML Server of relying

party, hence cannot accept assertions (Novell Identity Manager)

‒ SAML1 Federated/Trust component is not supported

‒ Only Single Cookie Domain is supported

• Works with RSA ClearTrust, CA Siteminder, Entrust GetAccess (CTSESSION, SMSESSION, AUTH_SESSION_ID) SAML COOKIE

42


Kerberos Constrained Delegation - KCD

• Global configuration

• Useful to extend Certificate- and OTP-based authentication methods to

web applications.

43

Login, Access URL ASA

GET

Challenge, SPENGO

Request impersonate Ticket

Return Ticket with User authorization Data Request Service Ticket

Return Service Ticket

Reply

Use Service Ticket

Reply

Kerberized Server

Domain Controller (KDC)


Per User editable Bookmarks

44

smb or ftp Username:password@host:port/path

Storage Key to encrypt data

Bookmarks

45


Bookmarks are organized into Lists

• More convenient to end users

Bookmark Lists can be assigned to group(s)


Bookmarks

• URL with GET or POST method

• Predefined Application Templates, HTML form auto-submit

ASA v9.0 added 2 new Types


URL with GET or POST method

Create a meaningful Title

Enter URL

For Post, define Parameters


Predefined Application Templates

Select a Predefined App

Predefined Templates for well known Applications prepopulate settings.


Outlook Web Access

50

Create a meaningful Title

Optional Icon

http/https

Host Name

See next slide

Select Application


Variables

Variable Name

CSCO_WEBVPN_USERNAME

CSCO_WEBVPN_PASSWORD

CSCO_WEBVPN_INTERNAL_PASSWORD

CSCO_WEBVPN_CONNECTION_PROFILE

CSCO_WEBVPN_PRIMARY_USERNAME

CSCO_WEBVPN_PRIMARY_PASSWORD

CSCO_WEBVPN_SECONDARY_USERNAME

CSCO_WEBVPN_SECONDARY_PASSWORD

CSCO_WEBVPN_MACRO1

CSCO_WEBVPN_MACRO2

See Connection Profile / Customization to enable

51


Outlook Web Access

52

Auto appended

Predefined

From previous screen


VIDEO WALK THROUGH

53

Customization

56


Customization

• General

• Logon Page

• Portal Page

• Logout Page

• External Portal Page

Is divided into 5 Main Parts

57


58

Will be enabled in

Connection Profile


External Portal with new Bookmark Methods

59

Adding a second Group


Combining What we have seen so far

• Create a new Customization which enables “External Portal Page”

• Setup URL with “Predefined Application Templates”

• Create a Group Policy which only allows OWA

• Create a Connection Profile which accepts https://ssl-lab.cisco.com/owa

Enabling Users to access Outlook Web Access only

61

https://ssl-lab.cisco.com/owa




62

From there on

Only First time


Group Policy / Connection Profile

63

access-list owa_only webtype permit url https://mail.cisco.com/* log default

access-list owa_only webtype deny url any log default

!

group-policy owa internal

group-policy owa attributes

vpn-tunnel-protocol ssl-clientless

webvpn

filter value owa_only

customization value owa

hidden-shares none

file-entry disable

file-browsing disable

url-entry disable

!

tunnel-group owa_only type remote-access

tunnel-group owa_only general-attributes

authentication-server-group LDAP

default-group-policy owa

tunnel-group owa_only webvpn-attributes

group-alias owa enable

group-url https://ssl-lab.cisco.com/owa enable

!


VIDEO WALK THROUGH

64


A word about (Web)ACLs

• Remember that many emails contain html links nowadays

• The above might be to restrictive

66

Tips

67


Little Troubleshooting tips

68

Familiarize yourself with working examples of debug webvpn [chunk|cifs|citrix|failover|html|javascript|request|response|transformation|url|util|xml]

Notice that there is a capture type “webvpn” This capture should be used for a particular User, not all traffic. Unzipping the capture requires a password “koleso” (no quotes) The extracted files have following naming format : <request number>-<response/request files/log>-<front-end|backend><0-original content| 1-content after transfer encoding> For example, lets suppose we need to look at captures for the very first request. We need to look for file names starting with "1-" 1-req-f0 - request received by WebVPN from the browser 1-req-b0 - request sent to the backend server 1-res-b0 - response WebVPN received from the backend server 1-res-f0 - response after transformer 1-res-f1 - response after transformer sent to the browser with transfer encoding applied by ASA (gzip,chunked) 1 - log - log entries for the request

AAA

69

© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public 70

local Radius LDAP Tacacs+ NT

Domain SDI Kerberos

HTTP Form

Authentication Y Y Y Y Y Y Y Y

Authorization Y* Y Y N N N N N

Accounting N Y N Y? N N N N

Source: Placeholder for Notes is 12pts

AAA


LDAP

• ASA supports LDAP v3 with plain text and SASL

• SASL supports Digest-MD5 and Kerberos (GSSAPI)

• Tested with Java System Directory Server, MS-AD, Novell, OpenLDAP

• To learn LDAP Structure and for troubleshooting see

http://www.softerra.com or use LDP.exe (Windows 2008)

• We will walk through Active Directory Configuration now

71

http://www.softerra.com


For the Active Directory Admin it looks like

72


We have to deal with

73

Where we find Users

Sample Attribute


Where we find Users

MS AD in this example

As MS requires Login,

enter a valid User. N.B.: Administrator is for LAB use only


LDAP bind

75

debug ldap enabled at level 100

ssl-lab#

[422] Session Start

[422] New request Session, context 0x00007fff2ef348f8, reqType = Authentication

[422] Fiber started

[422] Creating LDAP context with uri=ldap://10.1.1.66:389

[422] Connect to LDAP server: ldap://10.1.1.66:389, status = Successful

[422] supportedLDAPVersion: value = 3

[422] supportedLDAPVersion: value = 2

[422] Binding as Administrator

[422] Performing Simple authentication for Administrator to 10.1.1.66

[422] LDAP Search:

Base DN = [CN=Users,DC=duslab,DC=cisco,DC=com]

Filter = [sAMAccountName=trosenda]

Scope = [SUBTREE]

[422] User DN = [CN=thorsten rosendahl,CN=Users,DC=duslab,DC=cisco,DC=com]

[422] Talking to Active Directory server 10.1.1.66

[422] Reading password policy for trosenda, dn:CN=thorsten rosendahl,CN=Users,DC=duslab,

DC=cisco,DC=com

[422] Read bad password count 0


LDAP Attributes

76

[422] Binding as trosenda

[422] Performing Simple authentication for trosenda to 10.1.1.66

[422] Processing LDAP response for user trosenda

[422] Message (trosenda):

[422] Authentication successful for trosenda to 10.1.1.66

[422] Retrieved User Attributes:

[TRUNCATED TO FIT SCREEN]

[422] cn: value = thorsten rosendahl

[422] sn: value = rosendahl

[422] givenName: value = thorsten

[422] distinguishedName: value = CN=thorsten rosendahl,CN=Users,DC=duslab,DC=cisco,

DC=com


[422] displayName: value = thorsten rosendahl

[422] uSNCreated: value = 20557

[422] memberOf: value = CN=owa,CN=Builtin,DC=duslab,DC=cisco,DC=com

[422] wWWHomePage: value = 10.1.1.66


[422] Fiber exit Tx=596 bytes Rx=2436 bytes, status=1

[422] Session End

LDAP Attribute Maps

77


LDAP Attribute Maps

• As LDAP does provide additional Attributes, we could use these to :

‒ Map LDAP Group Membership to Group Policy

‒ Map User Attributes to Bookmarks

• Goal is to let LDAP decide on Group-Policy rather than hand out different

URLs (/beta, /owa)

Enabling ASA to parse & use Attributes existent in your Directory


LDAP memberOf = Cisco Group Policy

79

Start here


Mapping the value as well

80

Complete here


Create a mapping

81

One by One


Mapping a second Attribute

82

“Web page” in Microsoft view


Picking up CSCO_WEBVPN_MACRO1 in Bookmarks

83

This String will resolve to an Address


Debug view

84

debug ldap enabled at level 100

ssl-lab#

[TRUNCATED]

[425] memberOf: value = CN=owa,CN=Builtin,DC=duslab,DC=cisco,DC=com

[425] mapped to Group-Policy: value = owa

[425] mapped to LDAP-Class: value = owa

[TRUNCATED]

[425] wWWHomePage: value = 10.1.1.66

[425] mapped to WebVPN-Macro-Substitution-Value1: value = 10.1.1.66


VIDEO WALK THROUGH

85

DAP

87


Dynamic Access Policies

• Based on AAA and/or Endpoint Attributes, DAPs can

assign Access and Authorization Attributes.

• AAA examples : Cisco Username, LDAP memberOf, Radius 4097*

• Endpoint examples : OS, FW, AV, AS, HostName

• Access/Authorization Attribute examples : ACL, Bookmarks, Functions,

Terminate/Continue

*DAP add 4096 to Numerical Radius Attribute ID, i.e. 4097-4096=1=Access-Hours


Order of Enforcement:

89

• Dynamic Access Policy (DAP)

• User Attributes

• Group-Policy Attributes

• Connection Profile

• Default Groups

* More Information: https://supportforums.cisco.com/docs/DOC-1369

Ove

rwrite

*

Pro

ce

ssin

g O

rde

r

https://supportforums.cisco.com/docs/DOC-1369




Default Access Policy

• Is always the last entry

• The default action for DfltAccessPolicy is “Continue”

• As you go and add Policies, you should change to “Terminate”

90


Challenge

• Active Directory Users are typically member of more than ONE group

• On ASA a user can only be member of single group

• Dynamic Access Policies can multi-match and aggregate


Source Condition

Action


Action Action

Source Condition


Source Condition

Action


Action Action

Source Condition


Debug DAP

96

debug dap trace enabled at level 1

ssl-lab#

The DAP policy contains the following attributes for user: jupp

--------------------------------------------------------------------------

1: url-list = engineering,marketing

2: action = continue

3: appl-acl = DAP-web-user-74CBC80D

rule 1: permit tcp 10.0.0.0 255.0.0.0 lt 1024 log default

rule 2: permit tcp 144.254.0.0 255.255.0.0 lt 1024 log default

DAP_TRACE: DAP_open: 7FFF32905670

[TRUNCATED]

DAP_TRACE: Username: jupp, aaa.ldap.memberOf.1 = Engineering

DAP_TRACE: Username: jupp, aaa.ldap.memberOf.1 = Marketing

[TRUNCATED]

DAP_TRACE: Username: jupp, Selected DAPs: ,engineering,marketing

DAP_TRACE: dap_process_selected_daps: selected 2 records

DAP_TRACE: Username: jupp, dap_aggregate_attr: rec_count = 2

DAP_TRACE: Username: jupp, dap_comma_str_fcn: [engineering] 11 128

DAP_TRACE: Username: jupp, dap_comma_str_fcn: [engineering,marketing] 21 128

DAP_TRACE: Username: jupp, DAP_close: 7FFF32905670


Aggregation Result

97

User has 2 Bookmarks

2 ACE for the User

VDI Access for mobiles


Citrix Mobile Receiver

• This feature provides secure remote access for Citrix Receiver

applications running on mobile devices to XenApp and XenDesktop VDI

servers through the ASA.

• Supported Mobile Devices

‒ iPad — Citrix Receiver version 4.x or later

‒ iPhone/iTouch — Citrix Receiver version 4.x or later

‒ Android 2.x/3.x/4.0/4.1— Citrix Receiver version 2.x or later

New in ASA v9.0

99


Citrix Mobile Recevier

• Only default tunnel group is supported

• One XenApp or XenDesktop server at a time

• Requires XML service on XenApp and XenDesktop servers

• No support for

Certificates, Smart Cards, Double Authentication, Internal passwords, Group-URL

• Requires trusted identity certificate for ASA

Implementation Details

100


Citrix Mobile Receiver

Configuration

101

This is your Citrix Server


First time Setup

102

User adds an account


First time Setup

103

FQDN of ASA


First time Setup

104

Choose Access Gateway

Choose Standard Edition

Enter Username


Every day experience

105

Enter Password


Every day experience

106

Select your Desktop


Every day experience (XenDesktop)

107


Every day experience (XenDesktop)

108

Wrap up


IPv6

• IPv6 address for Endpoint and ASA

• Supported:

‒ Rewriter, Java Plug-ins

‒ Smart Tunnels for IPv6 aware applications

‒ Web-type ACL

‒ Auto Sign-On

• Unsupported:

‒ SSH / Telnet plug-in

‒ Port Forwarding, Email-Proxy, Proxy-Bypass

• Internal back-end resources still use IPv4

‒ Netfs / CIFS / SMB / FTP

‒ OCSP, CRL

‒ DNS, AAA Servers

110


Summary

• The requirements to get started

• The Configuration of different groups with different Policies

• How AAA/LDAP can be used to assign these Policies

• The new Bookmark Methods

• How Customization can influence User experience

We have seen

111


Recommended Reading for BRKSEC-2697

112 112


Call to Action

• Visit the Cisco Campus at the World of Solutions to experience Cisco innovations in action

• Get hands-on experience attending one of the Walk-in Labs

• Schedule face to face meeting with one of Cisco’s engineers

at the Meet the Engineer center

• Discuss your project’s challenges at the Technical Solutions Clinics

113

remote access using clientless vpnd2zmdbbm9feqrf.cloudfront.net/2013/eur/pdf/brksec-2697.pdf ·...

Documents