Qualify hosts and modifying access
What is Cisco secure desktop?
The role of Dynamic Access Policies
Implementation and Verification
Machines/PCs on outside network are not safe. There can be some malware installed accidentally on PC's and some information might be hacked. We don’t want such PC to connect to the internal resource.
We can allow this PC after verifying NAC (Network Admission Control)
The PC should agree on some policies before it could come to internal network.
Do some posture assessment - search for antivirus s/w, what version, how long it has been installed.
If requirements are meet provide access else don't allow.
Another option is a personal firewall on this machine and checks whether it is turned on or not.
Logger (malware), Is keylogger installed, this will monitor keystrokes.
Is this machine running on a virtualized environment?
To achieve this we can have any of below :
Buy ASA and configure NAC
ISE (identity services engine) does same work as NAC
How to know what is there in machine?
Installed Cisco secure desktop in ASA and in conjunction with SSL clienteles and SSL any connect
Basic Host scan:
OS, Files, Registry, Address, Certificates
Advanced Endpoint Assessment
Scans for antivirus, anti-spyware personal firewall and with the added ASA license, can perform remediation
Cisco secure desktop will also avoid if there is any malicious attack in middle of vpn connection
When client logs off. Some of the things are stored on cache
So we also have option of :
Secure Desktop Vault: Everything will be saved on vault and delete the vault once logged off. No trace leaving behind.
Cache Cleaner: Anything saved during vpn connection is washed away.
Based on the posture scan on client we can provide more permission or restrict permission using DAP (Dynamic Access Policies).
Install and deploy Cisco secure desktop
Download from cisco site and move it to flash
On ASDM
Config -> Remote Access VPN -> secure desktop manager -> setup
browse the location of csd csd_3.5.2008-k9.pkg
Enable and apply
Check pre-login policies to verify what people have to have on place before login
We can configure policies what we want under Prelogin Policy
-Keystroke logger is not enabled by default. we can turn it on
-Enable check for host emulation
-Cache cleaner: different options under this
-Vault settings: we have different options here
Secure Desktop Customisation
Host Scan
Now let's connect with user on eng-con profile through SSL clienteles vpn
https://192.168.1.171/eng
In the background, it is prompting me to allow admin rights to run the CSD.exe application received from the ASA.
Once it's done it will prompt for logon
we have bookmarks, plug-ins and browser accessible
If you are coming from different ip address that is not allowed on Pre-login policy. Your cisco secure desktop Pre-login will fail.
Now say client pc is not having firewall installed but still we want to restrict it not to use http application. Solution is DAP
DAP On ASDM
Config -> Remote access VPN -> Client SSL VPN Access -> Dynamic Access Policies.
By default, only default policy will present here
Rules to remember. Applies top down
DAP
user
Group
Group tied to conn-profile
Defaultpolicy
Create new policy
NO-HTTP_Browsing. If criteria match no http access
Let's configure in such a way that anybody comes on eng-con profile will not have access to http
We can add End point attribute as well
Under function disable all
Bring up client and try logon
logon successful
we don’t have browsing option at all
Benefit of CSD:
Beside pre-login assessment and looking for things like antivirus, malware, We can also based on HOST scan of that device what it has and does not have, we can implement DAP. Without appropriate license on ASA we can’t fix the problem but with advanced assessment license we can.
What is Cisco secure desktop?
The role of Dynamic Access Policies
Implementation and Verification
Machines/PCs on outside network are not safe. There can be some malware installed accidentally on PC's and some information might be hacked. We don’t want such PC to connect to the internal resource.
We can allow this PC after verifying NAC (Network Admission Control)
The PC should agree on some policies before it could come to internal network.
Do some posture assessment - search for antivirus s/w, what version, how long it has been installed.
If requirements are meet provide access else don't allow.
Another option is a personal firewall on this machine and checks whether it is turned on or not.
Logger (malware), Is keylogger installed, this will monitor keystrokes.
Is this machine running on a virtualized environment?
To achieve this we can have any of below :
Buy ASA and configure NAC
ISE (identity services engine) does same work as NAC
How to know what is there in machine?
Installed Cisco secure desktop in ASA and in conjunction with SSL clienteles and SSL any connect
Basic Host scan:
OS, Files, Registry, Address, Certificates
Advanced Endpoint Assessment
Scans for antivirus, anti-spyware personal firewall and with the added ASA license, can perform remediation
Cisco secure desktop will also avoid if there is any malicious attack in middle of vpn connection
When client logs off. Some of the things are stored on cache
So we also have option of :
Secure Desktop Vault: Everything will be saved on vault and delete the vault once logged off. No trace leaving behind.
Cache Cleaner: Anything saved during vpn connection is washed away.
Based on the posture scan on client we can provide more permission or restrict permission using DAP (Dynamic Access Policies).
Install and deploy Cisco secure desktop
Download from cisco site and move it to flash
On ASDM
Config -> Remote Access VPN -> secure desktop manager -> setup
browse the location of csd csd_3.5.2008-k9.pkg
Enable and apply
Check pre-login policies to verify what people have to have on place before login
We can configure policies what we want under Prelogin Policy
-Keystroke logger is not enabled by default. we can turn it on
-Enable check for host emulation
-Cache cleaner: different options under this
-Vault settings: we have different options here
Secure Desktop Customisation
Host Scan
Now let's connect with user on eng-con profile through SSL clienteles vpn
https://192.168.1.171/eng
In the background, it is prompting me to allow admin rights to run the CSD.exe application received from the ASA.
Once it's done it will prompt for logon
we have bookmarks, plug-ins and browser accessible
If you are coming from different ip address that is not allowed on Pre-login policy. Your cisco secure desktop Pre-login will fail.
Now say client pc is not having firewall installed but still we want to restrict it not to use http application. Solution is DAP
DAP On ASDM
Config -> Remote access VPN -> Client SSL VPN Access -> Dynamic Access Policies.
By default, only default policy will present here
Rules to remember. Applies top down
DAP
user
Group
Group tied to conn-profile
Defaultpolicy
Create new policy
NO-HTTP_Browsing. If criteria match no http access
Let's configure in such a way that anybody comes on eng-con profile will not have access to http
We can add End point attribute as well
Under function disable all
Bring up client and try logon
logon successful
we don’t have browsing option at all
Benefit of CSD:
Beside pre-login assessment and looking for things like antivirus, malware, We can also based on HOST scan of that device what it has and does not have, we can implement DAP. Without appropriate license on ASA we can’t fix the problem but with advanced assessment license we can.
No comments:
Post a Comment