Tip: Highlight text to annotate itX
00:00:02 - Cisco Secure Desktop and dynamic access policies.
00:00:06 - We've spent a lot of effort and time in honing our skills
00:00:09 - together in how we can get the VPN to work.
00:00:12 - However, my question is this. 00:00:14 - Do we always want to allow that
VPN user to have access 00:00:17 - to the network?
00:00:18 - If it's an authorized user, maybe they're coming from a
00:00:21 - machine that is ridden with security holes.
00:00:24 - Maybe they don't have a personal firewall.
00:00:26 - Maybe they don't have an antivirus software installed
00:00:28 - and running. 00:00:29 - Do we want to allow that computer
to be allowed to 00:00:32 - connect to our network?
00:00:33 - The answer is, possibly not. 00:00:35 - Using Cisco Secure Desktop and
dynamic access policies we can 00:00:39 - address those concerns.
00:00:40 - That's what this Nugget is all about.
00:00:41 - Let's jump in. 00:00:43 - Hey, welcome back.
00:00:44 - In this Nugget, you and I are going to focus on the concept
00:00:47 - of the Cisco Secure Desktop, better known as CSD, and also
00:00:51 - dynamic access policies and why we even have them.
00:00:53 - So we'll take those in order. 00:00:55 - Then we'll implement and test it.
00:00:57 - So let's take a look at this machine 00:00:58 - out here on the internet.
00:00:59 - He looks pretty safe. 00:01:00 - He looks just like this one here.
00:01:02 - Now let's say this is Bob's computer, or the computer that
00:01:05 - Bob is using. 00:01:05 - Maybe it's Macintosh, maybe it's
00:01:07 - Linux, maybe it's Windows. 00:01:09 - Now, is that machine safe?
00:01:10 - And the answer is, probably not. 00:01:12 - There's all kinds of things that
could 00:01:14 - happen to that machine.
00:01:15 - Bob could be going out to the internet, he clicks on a
00:01:17 - resource, clicks on a link, and unfortunately some malware
00:01:21 - is installed. 00:01:22 - And even prompts him-- are you
sure you want to install this? 00:01:24 - He goes, yeah, sure, and installs.
00:01:26 - Maybe there's a keystroke logger that's
00:01:29 - installed in software. 00:01:31 - So every time he types something,
that information is 00:01:33 - stored and then periodically sent
out to an attacker. 00:01:36 - So his passwords, at that point,
once he's logged on to 00:01:38 - his bank account and everything
else, all those 00:01:41 - passwords are now known to the
attacker. 00:01:43 - So do we want to allow this machine
to connect to our 00:01:46 - network and get to our critical
servers? 00:01:48 - And the answer is, well, that's,
Keith-- that's what 00:01:50 - the VPNs for, right?
00:01:52 - And I would agree with you. 00:01:53 - Yes, that is what the VPN is for,
but do we want to just 00:01:57 - allow anybody on?
00:01:58 - And the answer is, probably not. 00:02:01 - So there's this concept out there
called NAC. 00:02:03 - Network admissions control.
00:02:05 - And what NAC-- the concept of NAC is all about is to profile
00:02:10 - this machine to make sure it has at least the minimum
00:02:14 - requirements based on our policy before we
00:02:17 - let it on the network. 00:02:18 - It's sort of like saying, yes,
you can come to the party, but 00:02:20 - you have to wear a tie.
00:02:22 - And then everyone comes to the door, if they're not wearing a
00:02:24 - tie, we either say, hey, you can't come
00:02:26 - in, or here's a tie. 00:02:29 - Here's how to fix it.
00:02:29 - Go ahead and put the tie on and then come in.
00:02:32 - But that way we can enforce the policy.
00:02:34 - So what are some basic policies that we want on this
00:02:37 - machine before we want him to come into our network?
00:02:41 - A couple of basics. 00:02:42 - One, we want to search for anti-virus
software. 00:02:48 - Some type of program that he is
running on his machine. 00:02:50 - Now, what's the antivirus program
00:02:52 - standard at your company? 00:02:54 - And the answer is, probably something.
00:02:56 - Most companies have a policy for what should be running.
00:02:59 - So what we could do is we could-- 00:03:01 - before we authenticate him, we
could have a little 00:03:04 - conversation with his machine in
software and do a posture 00:03:08 - assessment saying, OK, do you have
00:03:10 - antivirus software running? 00:03:12 - Yes.
00:03:12 - What flavor is it? 00:03:13 - What version is it?
00:03:14 - How recently was updated, and so forth.
00:03:18 - And if he doesn't meet the requirements, we can go ahead
00:03:20 - and give him restricted access, or we can give him no
00:03:23 - access based on our dynamic access policies kicking in as
00:03:27 - a result of the findings. 00:03:28 - Another feature--
00:03:29 - maybe a firewall. 00:03:32 - A personal firewall running on
this machine. 00:03:34 - Is it present?
00:03:35 - Is it on? 00:03:36 - Yes or no?
00:03:37 - Other options include loggers. 00:03:40 - Now we'll just call that malware.
00:03:43 - Is there a key logger installed that might be
00:03:45 - recording keystrokes as this guy is now connected to us.
00:03:48 - And one other option, too, is-- 00:03:50 - is this machine running in a virtualized
environment? 00:03:55 - Because if we have a rule about
if you're VPNing in, it 00:03:58 - needs to be from your physical
machine and not from a virtual 00:04:00 - machine that you're coming in from.
00:04:02 - For security reasons, we could go ahead and enforce that.
00:04:05 - So those are some of the items that we might
00:04:06 - want to check for. 00:04:08 - So, great, Keith, that's a fantastic
idea. 00:04:09 - How do you do that?
00:04:11 - Well, there are several ways of doing that.
00:04:12 - We could purchase an appliance here, they used to have a
00:04:15 - product, Cisco did, and it's still implemented in many
00:04:18 - places, but it was NAC. 00:04:19 - Network Admissions Control.
00:04:21 - And they had a server, and there was a manager, it was a
00:04:23 - huge infrastructure. 00:04:25 - Now, continuing into the 21st century,
we have the ISE, 00:04:30 - which is an acronym for Identity
Services Engine. 00:04:33 - And it pretty much can do a lot
of similar 00:04:35 - functionality as NAC.
00:04:36 - It can posture a device, find out if it has the minimum
00:04:39 - requirements based on the policy you set before
00:04:42 - it lets them in. 00:04:43 - Now how exactly do we find out
what's on Bob's machine, or 00:04:46 - the machine Bob's coming in from,
when our 00:04:49 - gear is over here?
00:04:50 - The answer is software. 00:04:52 - We're going to have to have some
software agent installed 00:04:55 - on that device.
00:04:56 - So from a ASA prospective with Cisco Secure
00:04:58 - Desktop, guess what? 00:05:00 - That is some of the software that's
going to be installed. 00:05:04 - So whether it's an SSL clientless
connection, or 00:05:09 - whether it's an SSL client AnyConnect,
we can use this 00:05:16 - feature of Cisco Secure Desktop
in conjunction with 00:05:18 - either of those to go ahead and
do pre-login posturing of 00:05:22 - that machine to see whether or
not it's 00:05:25 - compliant with our standards.
00:05:27 - Now besides just doing a compliancy check, there's also
00:05:32 - some advanced licenses. 00:05:33 - For example, you can use a thing
called advanced endpoint 00:05:36 - assessment.
00:05:37 - And with that, you can not only identify the failures,
00:05:40 - but you can also fix them. 00:05:42 - And that requires an additional
license, but that 00:05:44 - is a capability that we have with
the ASA using the options 00:05:49 - that are present with the appropriate
licenses. 00:05:52 - The Cisco Secure Desktop also has
the ability while we're 00:05:55 - connected securely over the VPN
to make sure that new, 00:05:59 - malicious applications are opened
up. 00:06:01 - What happens if we're in the middle
of a session and some 00:06:04 - malware does creep in and does
start, does launch? 00:06:06 - We want the VPN software to be
aware of that and say, hey, 00:06:09 - you know what?
00:06:10 - We need to stop this session because this malicious content
00:06:13 - just came up. 00:06:14 - Now what happens when Bob logs
off? 00:06:15 - So Bob had his session, he accessed
through the SSL VPN 00:06:19 - client, or with his AnyConnect
client. 00:06:22 - He accessed the resources on the
server. 00:06:23 - He's all done with his VPN session,
and now 00:06:25 - he's going to go away.
00:06:27 - When he logs off, let's say he was Clientless.
00:06:29 - What could be cached on this machine? 00:06:31 - Well, we could have, for example,
that any files, if he 00:06:34 - downloaded some files, those could
be 00:06:36 - stored on this machine.
00:06:38 - If he was, during his session, logged on, maybe his username
00:06:42 - and password, or at least the username, is
00:06:44 - cached on this machine. 00:06:45 - So we also have the ability of
using 00:06:47 - something called a vault.
00:06:50 - Now a vault-- 00:06:51 - think of it like a bank vault,
where you keep 00:06:53 - everything in the vault.
00:06:55 - That's how it works logically with this PC.
00:06:57 - We can set up with Cisco Secure desktop a vault.
00:07:00 - It's basically a sandbox where everything that Bob does while
00:07:04 - he's connected with the VPN stays in the vault.
00:07:07 - Any files that he saves, anything that he does, it all
00:07:10 - goes in the vault, and when he's done, based on our policy
00:07:13 - here, we can go ahead and remove the vault.
00:07:15 - So any files he saved, any keystrokes he made, anything
00:07:18 - he did, can all be washed away by removing the
00:07:22 - vault after he's gone. 00:07:23 - Now there is an option to leave
the vault in place, 00:07:26 - password protected on this machine,
but that's generally 00:07:28 - not a good idea.
00:07:30 - We'll do a scorched earth technology where we log on, he
00:07:33 - logs off, and we remove the vault. 00:07:36 - There's also a cache cleaner, which
has, again, a similar 00:07:42 - functionality and that is to take
a look at anything in the 00:07:44 - cache while Bob was connected and
simply to wipe it out. 00:07:48 - So if we boiled the Cisco Secure
Desktop down into its 00:07:51 - basic components, what does it
do for us? 00:07:54 - It allows us to do pre-logon assessment
of the posture of a 00:07:57 - host machine.
00:07:59 - While Bob's connected, it keeps all that conversation
00:08:02 - safe due to the VPN. 00:08:04 - And when he logs off, it cleans
up this machine to 00:08:07 - leave no trace behind that an attacker
or somebody else 00:08:10 - might be able to leverage to get
access into our network. 00:08:14 - So that's the Cisco Secure Desktop.
00:08:16 - The other benefit of using the Cisco Secure Desktop is that
00:08:20 - if we do find him, that he does have a lacking posture,
00:08:23 - or he doesn't have all the pieces that we'd like, we can
00:08:26 - also go ahead and specify that we can change his policies.
00:08:30 - We can either give him more permissions based if he has a
00:08:32 - good posture, or we can remove permissions based on if he has
00:08:36 - a weak posture. 00:08:37 - And that's what dynamic access
policies are all about. 00:08:39 - So let's start with the first one,
that 00:08:41 - Cisco Secure Desktop.
00:08:42 - Let me walk you through step by step on how to install it
00:08:45 - at the ASA, and then we'll take a look at what it feels
00:08:48 - like when a client connects with Clientless SSL VPN in our
00:08:52 - situation, in our scenario, and just to get a look and
00:08:54 - feel from the customer's perspective of what Cisco
00:08:57 - Secure Desktop looks like. 00:09:00 - It's been scientifically proven
it's a lot easier to 00:09:03 - install and deploy the Cisco Secure
Desktop if 00:09:06 - you have the software.
00:09:07 - So our first task is going to be to download it from Cisco's
00:09:11 - website and moves it to the flash on our ASA.
00:09:14 - Once we have that, or if you have it on your PC, we can
00:09:17 - move it via TFTP or we can use the GUI right here to move the
00:09:21 - file from our PC over to the flash. 00:09:23 - But the cool thing is it's deployed,
very much like the 00:09:26 - AnyConnect client can be deployed
right from the ASA to 00:09:30 - the SSL or the AnyConnect client
VPN. 00:09:33 - So let's take a look at where we
would set this up. 00:09:35 - Under configuration, remote access
VPN and Cisco Secure 00:09:38 - Desktop manager, we have one option,
and that 00:09:41 - is to set it up.
00:09:42 - Before we actually install the package, we don't have any
00:09:45 - other options for configuring it. 00:09:47 - So let's browse the flash, it does
happen to be on my flash 00:09:50 - on this device.
00:09:51 - And the file is right here. 00:09:54 - CSD 3.5.
00:09:55 - That's a fairly current one. 00:09:57 - So we'll go ahead and we'll specify
where it is. 00:09:59 - I'll also want to specify that
I want to enable it. 00:10:01 - And I'll click on apply.
00:10:03 - So all it's doing is saying, OK, this Cisco Secure Desktop
00:10:05 - image is here, and I want to enable it.
00:10:08 - You click on send, and it does its magic
00:10:13 - Now once is done its magic, we click OK here.
00:10:16 - Now go back to Cisco Secure Desktop manager.
00:10:19 - Now we have more options. 00:10:22 - Check this out.
00:10:22 - We have the setup than we had before, but now we have global
00:10:25 - settings, we have a pre-login policy, we have a default
00:10:29 - policy, we have the Cisco Secure Desktop customization,
00:10:32 - and we have a host scan option. 00:10:34 - Let's take a look at some of these
options 00:10:36 - right off the bat.
00:10:37 - Number one, if we want to verify what people have to
00:10:41 - have in place before they get on the network, we can specify
00:10:44 - what the pre-logon policy is. 00:10:46 - And let me show you how easy this
is. 00:10:48 - It's basically a graph, a flow
chart, if you will, of what we 00:10:51 - want to happen.
00:10:52 - When a user connects, what do you want to have happen?
00:10:54 - Well, let's say we want to add a behavior
00:10:57 - of a registry check. 00:10:58 - Maybe you only want devices that
have a certain register 00:11:02 - entry to be able to connect.
00:11:03 - If they don't have it, you're going to deny access.
00:11:06 - That would be one way of identifying resources that are
00:11:09 - owned by the company, is by embedding, or burying, some
00:11:12 - registry entry the user isn't aware of that is being checked
00:11:16 - for when they try to connect. 00:11:18 - We can also check for a specific
file, or we can look 00:11:21 - for a certificate or a specific
OS, or an IP address. 00:11:25 - Let's use an IP address as an example.
00:11:27 - So I'll click on add. 00:11:28 - It says great.
00:11:29 - This is highlighted, IP address check.
00:11:31 - And let's say that you have to be on the 192 168 1 network
00:11:35 - with a 24 bit mask in order to proceed.
00:11:38 - So I'm going to click on update, and
00:11:39 - that's what this is-- 00:11:40 - I want to go back and edit this
right here. 00:11:41 - All this is implementing a policy.
00:11:44 - Just like Abraham Lincoln said, if we had eight hours to
00:11:47 - cut down a tree, we probably should spend six hours
00:11:50 - sharpening our axe. 00:11:51 - So we want to identify, what are
the requirements for 00:11:53 - somebody coming in?
00:11:54 - And you can have more than just one.
00:11:56 - So we have this right here, and then we can go on so if
00:12:00 - they fail, meaning they don't come in from that IP address,
00:12:03 - it's going to be denied. 00:12:04 - So if they do come in from that
IP address, that range, 00:12:07 - what do we want next?
00:12:08 - Well, instead of just saying default, let them continue, we
00:12:11 - can go ahead and click on the plus symbol and we can do
00:12:13 - another check. 00:12:14 - So let's go ahead and do a registry
check. 00:12:17 - Or let's go ahead and do a certificate
check. 00:12:19 - Add it.
00:12:20 - And then you can specify, I'm looking for some aspect in a
00:12:23 - certificate, a common name, the given name, the
00:12:28 - organization, organizational unit, you can search for
00:12:30 - virtually anything you'd like. 00:12:32 - So in this case, what we have set
up so far, let me go ahead 00:12:34 - and remove that, I'll say delete,
and delete that, all 00:12:38 - this says right now is I'm doing
an IP address check. 00:12:41 - That if I'm on this network, 192
168 1, I will pass, and if 00:12:46 - I don't come in from that address,
I'm going to fail. 00:12:48 - But they can get very, very elaborate.
00:12:51 - And so you can have a whole bunch of if-then statements
00:12:53 - looking for all the criteria for a pre-logon check for
00:12:57 - people who are going to come in. 00:12:58 - So I'm going to go ahead and click
on update 00:13:00 - and apply that change.
00:13:02 - And now that's applied. 00:13:04 - Let's take a look at this keystroke
00:13:06 - logger in safety checks. 00:13:08 - Now by default, keystroke logging
is not on by default. 00:13:11 - But you can turn it on, just like
that. 00:13:13 - So now it's going to look for keystroke
loggers that are in 00:13:16 - software and running on that PC.
00:13:19 - We can also down here check for host emulation.
00:13:21 - So if you have a policy that's saying hey, no VPNs from
00:13:25 - virtual machines into the company, this would be the
00:13:27 - check that would look for that. 00:13:29 - In this case, if I really do want
to deny access, I need to 00:13:32 - just click right here saying, I
want to deny access if 00:13:34 - running within emulation for that
device. 00:13:36 - In my case, because I'm going to
be logging in here in a 00:13:39 - moment and I will be doing it from
some emulated machines, 00:13:42 - I'm going to say, don't check for
the emulation and go ahead 00:13:45 - and allow them in.
00:13:46 - I do want to check for keystroke loggers.
00:13:47 - We'll apply that change as well. 00:13:49 - Our next piece is the cache cleaner.
00:13:51 - So this is for a user who's-- they've authenticated, they've
00:13:55 - logged on, now they're going to be leaving.
00:13:56 - What you want to do? 00:13:57 - And you can go ahead and you can
give them messages, 00:14:00 - pop-ups saying that their cache
has been cleaned, or you 00:14:02 - can go ahead and launch the cleanup
automatically, you can 00:14:05 - do it after five minutes of time-out,
anything that you 00:14:08 - want to do, you can here as far
as cleaning of the cache. 00:14:11 - From that user, especially the
Clientless SSL VPN user who's 00:14:15 - been connected, now they're logged
out, what do you want 00:14:17 - the Secure Desktop to do based
on that? 00:14:19 - Here's our vault settings.
00:14:21 - So first Secure Desktop is saying, you know what, Keith,
00:14:23 - we're not going to let you use Secure Desktop unless you
00:14:25 - enable that. 00:14:26 - So let's go back to default up
here, and we'll say, I want to 00:14:29 - go ahead and use Secure Desktop
Vault. 00:14:33 - And so you have options of Secure
Desktop 00:14:34 - Vault or cache cleaner.
00:14:36 - You don't need both of them. 00:14:37 - Because if we put everything in
the vault and we wipe it 00:14:40 - all out, there's not going to be
anything left. 00:14:42 - So I'm going to choose that option,
Cisco Secure Vault, 00:14:44 - click on apply.
00:14:46 - And then we'll have our options down here
00:14:47 - under Secure Desktop. 00:14:48 - For this vault, if we want to leave
that vault in place and 00:14:52 - have an encrypted sandbox left
on that machine, we can go 00:14:55 - ahead and allow the user to reuse
it. 00:14:57 - There will be a password required
for that user to 00:15:00 - secure that vault.
00:15:01 - Most the time we're not going to leave anything, especially
00:15:04 - if we had this client who comes in, any work they do,
00:15:07 - any trace of what they have, it'd be better if it wasn't
00:15:09 - left on the hard disk even if it's encrypted.
00:15:12 - So we have our settings for general settings
00:15:15 - and the vault settings. 00:15:16 - If we wanted to customize the color
and the look of how 00:15:19 - Cisco Secure Desktop looked, we
could change our colors 00:15:23 - right here.
00:15:24 - We can change the banners that show up.
00:15:27 - So you can get this all dressed up any way you want
00:15:29 - to, so when a user connects, it looks and feels the way you
00:15:32 - want it to based on your corporate policy.
00:15:34 - Now this host scan it gives us the ability to search for,
00:15:37 - click on add, certain elements in the registries, certain
00:15:39 - files, or certain processes. 00:15:41 - Why?
00:15:42 - Well, maybe we're looking for a certain firewall.
00:15:44 - Or maybe we're looking for a certain virus scanning
00:15:47 - software based on the file name. 00:15:49 - So we can look for the file, we
can look for the process 00:15:51 - that's already running, or we can
look for entries in the 00:15:54 - registry to help verify that it's
there, again based on 00:15:57 - your company and what you're looking
for. 00:15:58 - There's also, again if you have
the advanced endpoint 00:16:01 - assessment license, you can do
advanced assessment and 00:16:05 - remediation of those things that
are not in place. 00:16:08 - For example, if they don't have
the correct version of 00:16:10 - the anti-virus software, you can
go ahead and direct them 00:16:13 - and facilitate the update of that
software with, again, the 00:16:17 - appropriate license to do that.
00:16:19 - So what have we done so far? 00:16:20 - We've basically installed this
one package, we also went to 00:16:24 - our pre-logon policy and said,
we want to check to make sure 00:16:26 - that they're coming in from a certain
IP subnet as a simple 00:16:30 - example, and that's it.
00:16:32 - So let's try this out. 00:16:33 - Let's go ahead and say apply all
to any changes 00:16:35 - that we have here.
00:16:36 - And let's go to a client on the outside of
00:16:38 - this ASA and connect. 00:16:40 - In fact, let's grab a user that
we can come in with. 00:16:42 - So Clientless SSL connection profiles.
00:16:45 - Let's come in as the engineering user who is going
00:16:49 - to be coming in to a connection profile called
00:16:51 - eng-con, and his group is eng-group. 00:16:53 - That was one we created earlier
in this Nugget series. 00:16:56 - So let's go visit him right now.
00:16:59 - This browser is from a machine that's sitting on that outside
00:17:02 - side 192 168 1 subnet. 00:17:04 - Let's go ahead and open up the
correct URL. 00:17:06 - And that would be HTTPS 192 168
dot 1 dot 171 forward 00:17:14 - slash, and here's the question.
00:17:17 - What is exactly the URL for engineering. 00:17:21 - Let's look at that real quick together
00:17:22 - before we launch this. 00:17:24 - So back under the connection profile,
I'm going to open the 00:17:27 - details of engineering connection
profile, and we'll 00:17:30 - go under advanced, and down here
to Clientless 00:17:32 - SSL, there we go.
00:17:34 - It's ENG at the end. 00:17:35 - Also, right here, by default, once
we've enabled Cisco 00:17:38 - Secure Desktop, if we want to disable
it on a URL by URL 00:17:43 - basis, we could do so right here
by checking that box 00:17:46 - that's saying, don't run Cisco
Secure Desktop if they connect 00:17:48 - to these URLs.
00:17:49 - Otherwise with it not checked they will go ahead and use it.
00:17:52 - So I've got the ENG URL specified right there.
00:17:56 - And click on cancel because I didn't make any changes.
00:17:59 - Let's go back to our client and put in that ENG for the
00:18:05 - complete URL. 00:18:06 - And check out what it's doing.
00:18:08 - It's asking me for my administrator rights to make
00:18:11 - sure I can implement the Cisco Secure Desktop.
00:18:15 - And as it runs through, it says it's done.
00:18:17 - And now that it's done, it's asking me to log on.
00:18:20 - So it just went through that posture assessment for me and
00:18:22 - said, OK, are you coming in from this IP address?
00:18:24 - That was the pre-login test we had, and because I passed
00:18:27 - that, I can put in my username of ENG user, and
00:18:31 - my password of Cisco. 00:18:34 - And if you'll notice, we have all
of our bookmarks, we've 00:18:36 - got our plug-in options over here,
and we have our browse 00:18:39 - capability.
00:18:40 - We have HTTP and all the other standards.
00:18:42 - The HTTPS, the FTP, the CIFS, plus the
00:18:46 - benefit of the plug-ins. 00:18:47 - For SSH and telnet plug-in, the
RDP, and the VNC plug-in, 00:18:51 - all because they're available courtesy
of the ASA. 00:18:55 - From a user perspective, that's
all pretty normal, 00:18:57 - except for the fact that we have
to have administrator 00:18:59 - rights to actually install the
CSD which got pushed down to 00:19:03 - us from the ASA.
00:19:04 - So let's log out and let's make a change over on the ASA
00:19:09 - just to make sure our policy is working.
00:19:11 - We'll go back to our configuration, and we'll say
00:19:14 - under our pre-login policy, let's go ahead and change the
00:19:17 - IP address requirement. 00:19:18 - Instead of saying you have to come
in from 192 168 1 subnet, 00:19:22 - let's say you have to come in from
192 168 2 subnet. 00:19:25 - Just to validate that the pre-login
assessment is 00:19:28 - actually taking effect.
00:19:29 - We'll apply that change, we'll go back to our
00:19:32 - client, and try it again. 00:19:34 - So we'll click on log on, and it's
going through the 00:19:36 - motions, it's asking me if I want
to run it, I'm 00:19:39 - going to say yes.
00:19:41 - Also, critical failure. 00:19:44 - Well, the critical failure, the
pre-logon failed us 00:19:47 - because I'm coming from an IP address
that isn't allowed. 00:19:51 - The pre-logon policy says, OK,
192 168 2 anything, and I'm 1 00:19:56 - anything, I didn't match, and so
I'm not even getting one 00:19:59 - step further.
00:19:59 - So also here, just be aware that ActiveX and Java are both
00:20:04 - big components of all these pieces installing.
00:20:08 - So there are the Cisco Secure Desktop for Linux, there's one
00:20:11 - for Macintosh, there's one for Windows.
00:20:14 - They all have their little quirks and
00:20:15 - requirements and so forth. 00:20:17 - But as a general rule, we have
to allow either ActiveX or 00:20:20 - Java to execute so that the user
can actually run the 00:20:24 - Cisco Secure Desktop that's pushed
down to 00:20:26 - them from the ASA.
00:20:28 - The Cisco Secure Desktop gives us that ability to peek into
00:20:31 - that machine for that pre-logon assessment to verify
00:20:35 - that that machine meets our requirements based on IP
00:20:37 - address, or registry checks, or looking for a specific
00:20:41 - software firewall or a specific 00:20:43 - antivirus that is present.
00:20:44 - Now let's presume for a moment that something's missing.
00:20:48 - So let's say he doesn't have a firewall present.
00:20:51 - Do you still want to give him full access to the ASA?
00:20:53 - And the answer is maybe, or maybe not, depending on your
00:20:56 - company policy. 00:20:57 - Well, what if we want to change
it? 00:20:58 - Let's say that if he doesn't have,
for example, a firewall 00:21:02 - present on his PC, we want to not
give him the ability to do 00:21:06 - HTTP browsing.
00:21:09 - He can use his bookmarks, but he can't use that dropdown for
00:21:12 - HTTP and put anything he wants in.
00:21:14 - Or let's say we want to change a web type ACL based on him
00:21:18 - not having an antivirus software package installed.
00:21:21 - How do you do that? 00:21:22 - I mean, it's still Bob.
00:21:23 - Bob could hop around to machine to machine.
00:21:25 - How do you dynamically change his permissions?
00:21:28 - And the answer is DAP. 00:21:31 - Dynamic access policies do that.
00:21:33 - So what we could do is he connects, and based on his
00:21:36 - machine he's connecting from, based on the set of conditions
00:21:40 - that are set, we can then provide him additional
00:21:43 - permissions or take away permissions all based on DAP.
00:21:46 - Remember the hierarchy of the rules? 00:21:49 - We have DAP, that's first, then
you have user, and then 00:21:53 - you have what?
00:21:53 - What's next? 00:21:54 - Group, good for you.
00:21:56 - And what's next after that? 00:21:57 - Group again, except this is the
group that's tied to the 00:22:00 - connection profile.
00:22:01 - And then we have our default group policy.
00:22:03 - Now that's the pecking order. 00:22:04 - So based on his profiling here,
what he has or doesn't 00:22:08 - have and based on our set of DAP
rules, those can take 00:22:12 - precedence over everything else.
00:22:14 - So if we want him to have a specific set of bookmarks
00:22:17 - based on his machine that he's coming in from, or if we want
00:22:20 - to restrict browsing based on a set of conditions, we can do
00:22:23 - that with the dynamic access policies. 00:22:25 - So let's do that.
00:22:26 - Let's do a simple example that we can just very clearly see
00:22:30 - that that's at work. 00:22:31 - And we'll do that by setting up,
first of all, a dynamic 00:22:35 - access policy, and then we'll have
Bob, or our engineering 00:22:38 - user, log in again.
00:22:40 - The first thing I like to do is make sure that he can
00:22:42 - actually log in once successfully. 00:22:45 - So we'll get back to our pre-login
policy and specify 00:22:48 - that you have to be coming in from
the 192 168 1 network, 00:22:52 - and we'll click on apply all.
00:22:53 - That way at least he can log in. 00:22:55 - And next, we'll take a look at
creating a 00:22:57 - dynamic access policy.
00:22:59 - To do that, we're going to go over here under Clientless SSL
00:23:03 - VPN access and dynamic access policy, this right there.
00:23:07 - And we're going to open that up, and under dynamic access
00:23:10 - policies, we have this default access policy, which we've
00:23:13 - seen in our logs already in this Nugget series.
00:23:16 - That's the default policy, the DAP policy that's applied if
00:23:19 - no other enforced policy has been said to be used.
00:23:23 - We want to go ahead and create a new policy.
00:23:26 - Let's click on add. 00:23:27 - And here's the details for this
dynamic access policy. 00:23:30 - Let's give it a name.
00:23:31 - Let's call it no HTTP browsing for you.
00:23:41 - All right. 00:23:41 - Just a name.
00:23:42 - This can be our policy. 00:23:43 - And it's a giant if-then statement.
00:23:46 - What do you mean, Keith, an if-then statement?
00:23:47 - Well, we're going to say if these criteria match, then we
00:23:51 - want you to remove the ability to do HTTP browsing.
00:23:54 - We could just as easily say, if these criteria match, we
00:23:58 - want to add additional web type ACL permissions.
00:24:02 - So it can go either way. 00:24:03 - If they have something you can
give them permissions, if they 00:24:06 - have something you can remove permissions.
00:24:08 - So in this case, under which AAA attribute values do I want
00:24:11 - to match on, you click on add, and let's take a look.
00:24:15 - There is a whole boatload of options that we can look at.
00:24:17 - Cisco attributes, Lightweight Directory Access Protocol
00:24:20 - attributes, attributes we learned via radius, doing
00:24:23 - authentication via radius. 00:24:25 - Let's say Cisco attributes.
00:24:27 - Let's say connection profile. 00:24:28 - Let's say anybody who comes in
on the connection profile 00:24:32 - called engineering connection profile,
that one right there, 00:24:35 - that's going to be a match.
00:24:37 - So now, what happens is anybody who comes in on this
00:24:40 - connection profile called engineering con is going to
00:24:43 - say, wow, dynamic access policy, no HTTP
00:24:46 - browsing for you. 00:24:47 - This is going to apply.
00:24:49 - Now, do you want it to apply to everybody who comes on that
00:24:52 - connection profile or just a few people?
00:24:54 - And the answer is, it depends on your policy.
00:24:56 - And that's where we come over here. 00:24:58 - It says if this matches and the
following endpoint 00:25:02 - attributes are satisfied.
00:25:03 - So we can come here and say, we want to add anti-spyware,
00:25:07 - and we could say, well, not installed. 00:25:10 - So would that mean is basically
if there's no 00:25:12 - anti-spyware installed, that would
qualify that machine to 00:25:16 - go ahead and get this rule.
00:25:18 - So in this case, if we wanted to say, for example, let's say
00:25:21 - we're looking for operating system is
00:25:25 - Windows 7, as an example. 00:25:29 - So for Windows, and I click on
OK. 00:25:32 - What this would do, just give you
the flow here, is that a 00:25:35 - person coming in on the connection
profile who's 00:25:37 - coming in on a Macintosh or a Linux
box or an XP, not 00:25:42 - Windows 7, wouldn't match this
criteria. 00:25:45 - So if they don't match this criteria,
they wouldn't get 00:25:47 - any of the actions that we're about
to 00:25:49 - specify down here below.
00:25:50 - So you get very granular in what you specify for your
00:25:54 - dynamic access policy rules. 00:25:56 - And you've got to be very careful,
because whatever you 00:25:58 - specify here, they win.
00:26:00 - No matter what. 00:26:02 - They happen at the very top of
the inheritance stack as the 00:26:05 - user authenticates and gets their
rules set up. 00:26:08 - The DAP is going to win.
00:26:10 - So in this case, as an example, let's say if the
00:26:13 - tunnel group is engineering con and the version of Windows
00:26:16 - is Windows 7, which are both the case for this new machine
00:26:19 - I'm coming in from, let's go ahead and specify some
00:26:22 - additional rules. 00:26:23 - These are the additional rules
that are going to be applied 00:26:26 - to the dynamic access policy.
00:26:28 - And let's do something we can see obviously.
00:26:30 - Let's go to functions. 00:26:31 - That's super easy to see.
00:26:33 - Right now the user can do that drop-down list and do HTTP,
00:26:37 - HTTPS, CIFS browsing and FTP browsing, and Telnet and SSH
00:26:42 - and everything else. 00:26:43 - Let's say we want to disable HTTP
server 00:26:46 - browsing right here.
00:26:47 - So we'll go to URL entry, we'll say we're going to
00:26:50 - disable that. 00:26:51 - Which applies to HTTP.
00:26:53 - In fact, we could say disable to all these.
00:26:56 - So file server entry, the file server browsing--
00:27:00 - those would be FTP-- 00:27:00 - and the URL entry.
00:27:02 - Let's disable all those. 00:27:03 - Because a moment ago, he had them
from the 00:27:06 - drop-down down list.
00:27:06 - He could get anything he wanted to.
00:27:08 - So what this is saying, this rule, after we apply it, is
00:27:12 - saying this dynamic access policy is called no HTTP
00:27:15 - browsing for you. 00:27:17 - And if it matches, we're going
to go ahead and disable the 00:27:20 - file browsing, file URL entry,
and URL entry. 00:27:23 - So we'll click on send.
00:27:24 - Now the concept here is that it's really flexible, but in a
00:27:28 - large environment you have to be really careful.
00:27:29 - Because if you put in a simple policy that says everybody
00:27:32 - coming in on a connection profile, no matter what, have
00:27:35 - this applied to them, that's exactly 00:27:37 - what's going to happen.
00:27:38 - And that may or may not be the thing you desire.
00:27:40 - So be very careful, test it out before you roll it out.
00:27:43 - So now that's applied. 00:27:44 - Let's go back to our client and
try them again. 00:27:47 - So we'll bring up the client.
00:27:48 - I'm going to bring up a brand new window so
00:27:50 - that nothing is cached. 00:27:52 - And now it's going through Cisco
Secure Desktop, it's 00:27:55 - asking me for my admin rights so
it can run it. 00:27:58 - I'm going to say yes.
00:28:00 - And it says success. 00:28:02 - That's a great thing.
00:28:02 - Now it's asking me to log on. 00:28:04 - Fantastic.
00:28:05 - So we'll log on as eng user with a password of Cisco.
00:28:09 - And we are now in. 00:28:10 - There's our bookmarks, there's
our menu system 00:28:13 - on the left, fantastic.
00:28:14 - Let's go back to the ASDM and take a look at the details.
00:28:19 - So I had my inbound connection on port 443, which is great.
00:28:22 - We had some AAA authentication and it determined that the
00:28:25 - user was engineering user. 00:28:27 - Fantastic.
00:28:28 - It figured out that my group was engineering group.
00:28:30 - That's also great. 00:28:32 - And also then, take a look at this
right here. 00:28:34 - Dynamic access policy.
00:28:36 - The user called engineering user coming in from that IP
00:28:39 - address, Clientless connection, the following DAP
00:28:42 - records were selected for this connection.
00:28:45 - So here we have the dynamic access policy of no HTTP
00:28:49 - browsing for you. 00:28:50 - The question is, did that apply,
yes or no? 00:28:53 - Can we browse?
00:28:54 - Well, let's go back to our client and we'll take a look.
00:28:57 - So here's our client. 00:28:59 - And I thought something was missing.
00:29:01 - Up here at the top we have no options whatsoever.
00:29:05 - So if we had limited just to know browsing for web services
00:29:09 - or file services, but since we said no browsing at all, that
00:29:12 - whole bar is gone. 00:29:14 - And that's because the dynamic
access policy that was 00:29:16 - applied, which was all determined
by two factors. 00:29:20 - Number one, we came in on the connection
profile called the 00:29:23 - engineering connection profile.
00:29:24 - And secondly, we were Windows 7. 00:29:26 - And as a result of those two things
being true, it applied 00:29:29 - the dynamic access policy for our
VPN session. 00:29:33 - In this Nugget, we've identified
some of the 00:29:36 - benefits of the Cisco Secure Desktop
to have either a 00:29:39 - secure vault like a sandbox that
all the files and 00:29:42 - everything else live in while that
user is on the VPN 00:29:45 - connection, and then when he's
gone, we simply 00:29:47 - get rid of the vault.
00:29:48 - There's also a cache cleaner component of it.
00:29:50 - If you don't want to use the vault, you can use the cache
00:29:52 - cleaner to clean up everything after the user is gone.
00:29:56 - What's the benefit of having this Cisco Secure Desktop?
00:29:59 - A couple things. 00:30:00 - Number one, besides the pre-logon
assessment and 00:30:03 - looking for things like firewall
software, anti-virus 00:30:06 - software, the presence of malware,
and so forth, we can 00:30:09 - also, based on the host scan of
that device and what he has 00:30:11 - or doesn't have, we can implement
00:30:13 - dynamic access policies. 00:30:15 - Now without the appropriate license
on the ASA, we can't 00:30:18 - fix the problems that we find at
the PC. 00:30:20 - But with the advanced assessment
license, you can. 00:30:24 - We also took a look at implementing
a really basic 00:30:26 - dynamic access policy, setting
up some criteria, and then 00:30:30 - logging in to confirm that the
dynamic access policy that we 00:30:34 - created looking for a specific
connection profile and use and 00:30:37 - a specific version of operating
system triggered the 00:30:40 - additional restrictions applied
by the 00:30:43 - dynamic access policy.
00:30:45 - I hope this has been informative for you, and I'd
00:30:48 - like to thank you for viewing.
