Sunday, August 27, 2006

CISCO ASA SVC WebVPN

SSL VPN Client

The SSL VPN Client (SVC) is a VPN tunneling technology that give remote users the benefits of an IPSEC VPN client without the need for network administrators to install and configure IPSEC VPN Clients on remote computers. The SVC use the SSL encryption that is already present on the remote computer as well as the WebVPN login and authentication of the security appliance.

The n the user connect to the security appliance, if the user satisfies the login and authentication, and if the security appliance identifes the user as requiring the SVC, the security appliance download the SVC to the remote computer. If the security appliance identifies the user as having the option to use the SVC, the security appliance download the SVC to the remote computer while presenting a link on the user screen to skip the SVC installation.

After downloading, the SVC installs and configures itself, and the SVC either remains or uninstalls itself (depending on the configuration) from the remote computer when the connection terminates.

Installing the SVC Software

Installing the SVC consists of copying the SVC image s to the security appliance and assigning an order to the images

Step 1 – Copy the svc image to the security appliance using the copy command in privileged EXEC mode

Step 2 – Assign an ordre to the SVC images using the svc image command from the wevvpn mode

svc image filename oder


Enabling SVC

After installing SVC, you can enable SVC by performing the webvpn mode :

Step 1 – enable interface in webvpn configuration mode

(config) webvpn
(config-webvpn) enable outside

Step 2 – from webvpn enter the svc enable command

(config-webvpn) svc enable

Step 3 – configure a method of address assignment (dhcp, and/or user-assigned addressing, local ip pool)

(config-webvpn) ip local pool vpn_users 192.168.1.100-192.168.1.200 mask 255.255.255.0

Step 4 – Assign IP addresses to a tunnel group

(config) tunnel-group remote_users general-attributes
(config-tunnel-general) address-pool vpn_users

Step 5 – Assign a default group policy to the tunnel group with the default-group-policy

(config-tunnel-general) default-group-policy sales

Step 6 - Create and enable a group alias that displays in the group list on the WebVPN Login page using the group-alias command

(config) tunnel-group remote_users webvpn-attributes
(config-tunnel-webvpn) group-alias sales_department enable

Step 7 – Enable the display of the tunnel-group list on the WebVPN Login pae from webvpn mode

(config) webvpn
(config-webvpn) tunnel-group-list enable


Step 8 – identify WebVPN as a permitted VPN tunneling protocole for the group or user with the vpn-tunnel-protocol

(config) group-policy sales attributes
(config-group-policy) webvpn
(config-goup-webvpn) vpn-tunnel-protocol webvpn


Step 9 – Enable or require an SVC for a specific group or user by using the svc command from either group-policy webvpn mode or username webvpn mode

svc {none enable required}



Enabling permanent SVC installation

Enabling permanent SVC installation disable the automatic uninstalling feature of the SVC. The SVC remains installed on the remote computer for subsequent SVC connections, reducing the SVC connection time for the remote user.

To enable permament SVC installation for a specific group or user, use the svc keep-installer command

svc keep-installer {installed none} – installed specifies the SVC permanently installed on the remote computer, none specifies the SVC is removed from the remote computer after the active SVC connection terminates. By default the permanent SVC installation are disabled. The SVC uninstalls at the end of every SVC session.


Viewing SVC Sessions

You can view information about active SVC sessions using the

show vpn-sessiondb svc



Logging Off SVC Sessions

To log off all SVC sessions use the – vpn-sessiondb logoff svc

You can logoff individual svc sessions using either the name option, or th index option

vpn-session-db logoff name name
vpn-session-db logoff index index

posted by Hervé SCHLECHT @ 6:33 PM

CISCO ASA User VPN definitions

*** ip pool management ***
ip local pool pool pool-prestataire-tata 192.168.1.200-192.168.1.210 mask 255.255.255.0


*** nat management ***
access-list inside_nonat0_outbound extended permit IP any 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_nonat0_outbound


*** rights management ***
access-list prestataire-tata extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.10.1 eq 3389


*** define tunnel group ***
tunnel-group prestataire-tata type ipsec-ra
tunnel-group prestataire-tata general-attributes
address-pool pool-prestataire-tata
tunnel-group prestataire-tata ipsec-attributes
pre-shared-key ******


*** group definition ***
group-policy prestataire-tata internal
group-policy prestataire-tata attributes
vpn-filter value prestataire-tata
vpn-tunnel-protocol IPSEC


*** define user and associate it the the group ***
username TATA password xxxxxxxxxxxxx encrypted privilege 0
username TATA attributes
vpn-group-policy prestataire-tata

posted by Hervé SCHLECHT @ 6:31 PM

CISCO ASA - WebVPN Polices

Creating and applying WebVPN Policies

Creating and applying WevVPN policies that govern access to resources at the central site include :

- creating Port Forwarding , URL and Access List in global configuration mode (use port forward, url-list and access-list commands )
- assigning lists to Group Policies and Users in Group-Policy or User mode
- enabling features for Group Policies and Users (use functions command)
- Assigning Users to Group Policies (you can use internal authentication server or Radius server to assign users to groups)

WebVPN support specific tunnel group attributes, in addition to the common tunnel group attributes. In the same time we have WebVPN attributes for group policies and users.

Port Forwarding Applet

To run a remote application over WebVPN, a user clicks Start Application Access on the WebVPN homepage to download and start a port-forwarding Java applet. To simplify application access you can configure WebVPN to automatically download the port-forwarding applet -> In the WebVPN enter the functions command and use the auto-download option.

Note : Close the application access window properly when finishing using Application Access. When you start Application Access, WebVPN modifies the hosts file, adding WebVPN specific entries. Stopping Application Access by properly closing the Application Access window returns the file to its original state.


File Access

The CIFS protocol provides users with network access to files, printers and other machine resources. WebVPN serves remote users with https portal pages that interface with a proxy CIFS client running on the security appliance. Using this client, WebVPN provide users with network access to the files on the network. This client is transparent; the portal page delivered by WebVPN provide the appearance of the direct access to the file system. When a client requests a list of files, WebVPN queries the server designated as the master browser for the IP address of the server containing the files list. The security appliance gets the lists and delivers it to the remote user on a portal page.

Note : the security appliance requires a master browser or WINS server, typically on the same network as the security appliance or reachable from that network, to query the network for a list of servers when the remote user clicks Browse Network on the WebVPN homepage or toolbar. If you don’t specify a master browser, you have an alternative by using the url-list command in global configuration mode or in webvpn mode :

url-list listname displayname cifs://ServerA/ShareX/

If you need to allow the Browse Network, you need to follow the following steps :

Step 1 – use the nbns-server command in the tunnel-group webvpn configuration mode once for each NetBIOS Name Server (NBNS)

nbns-server {IPaddress hostname} [master] [timeout timeout] [retry retries]

(config-tunnel-webvpn) nbns-server 192.168.1.20 master
(config-tunnel-webvpn) nbns-server 192.168.1.30
(config-tunnel-webvpn) nbns-server 192.168.1.40

Step 2 – to configure the security appliance support for file access, file browsing, and file server entry, use the following functions command in webvpn mode :

function file-access file-browsing file-entry


Citrix MetaFrameServices

WevVPN users ca use a connection to the security appliance to access Citrix MetaFrame services. In this onfiguration, the security appliance functions as the Citrix secure gateway.


WebVPN with PDA

You can access WevVPN from your Pocket PC or other PDA. Neither the security appliance administrator nor the WebVPN user need do anything special to use WevVPN with certified PDA.

Warning : Some differences in the PDA version of WebVPN exist.


Using E-Mail over WebVPN

WebVPN support several ways to access E-Mail :

- E-Mail proxy
- MAPI – MS Outlook Exchange
- Web E-Mail – MS Outlook Web Access

To use the MS Outlook Exchange Proxy you must enable the MS Outlook Echange Proxy on the Security Appliance, through the functions command, which is a group-policy webvpn command :

(config) group-policy group-policy-name attributes
(config-group-policy) webvpn
(config-group-webvpn) functions mapi


Customizing WeVPN Pages

You can change the appareance of WebVPN pages displayed ti WebVPN users. This includes the Login page displayed to users when they connect to the security appliance, the Home page displayed to users after the security appliance authenticate them, the Appliication Access window displayed when users launch an application, and the Logout page displayed when users logout of WebVPN service.

After you customize the WebVPN pages, you can save your customization and apply it to specific tunnel group, group, or user. You can create and save many customizations, enabling the security appliance to change the appearance of WebVPN pages for individual users, or group of users.

To access to the customizing feature, you need to access to the webvpn mode and select a customizing profile :

(config) webvpn
(config-webvpn) customization profile_name
(config-webvpn-custom)

For example you can define an other logo in the logon page, with the :
(config-webvpn-custom) logo file disk0:/xxxx.xxx

Note 1 : Many WebVPN customization commands contain the style option. The value is expressed as any valid Cascading Style Sheet (CSS) parameters.

Note 2 : To easily customize the WebVPN pages , we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.


After you create a customization, you can apply the customization to a tunnel group, a group, or a user, with the customization command. The options displayed with this command are different depending on the mode you are in.

To apply a customization to a group :

(config) group-policy group_name attributes
(config-group-policy) webvpn
(config-group-webvpn) customization value customization_profile_name


To apply a customization to a user :

(config) username user_name attributes
(config-username) webvpn
(config-username-webvpn) customization value customization_profile_name


Notes :

A Tunnel Group consists of a set of records that determines tunnel connections policies. These records identify the servers to which the tunnel user is authenticated, as well as the accounting servers, if any, to which connections information is sent.


posted by Hervé SCHLECHT @ 4:58 PM

TrendMicro SPS Change SPAM TAG

To change the SPAM TAG in SPS configuration, you need to replace the SpamTag key in the Registry.

The SpamTag key are located under \HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ISNT5\registry\config\FilterManager\0003\0001

After changing the Key you need to restart IMSS service.

posted by Hervé SCHLECHT @ 10:55 AM

Saturday, August 26, 2006

CISCO - WebVPN Security concerns

In a WebVPN connection, the security appliance acts as proxy between the end user web browser ans the target Web server. When the WebVPN user connects to an SSL-enabled web server, the security appliance estzblishes a secure connection and validates the server SSL certificate. The end user browser never receives the presented certificate, so therefore cannot examine and validate the certficate.

The current implementation of WebVPN on the security appliance does not permit communication with sites that present expired certificates.

To minimize the risks involved with SSL certificates :

- Configure a group policy that consist of all users who need WebVPN access and enbale the WebVPN feature only for that group policy.
- Limit Internet access for WebVPN users, One way to do this is to disable the URL entry.
- Educate users. If a SSL-enable site in not inside the private network, users should not visist this site over a WebVPN connection. They should open a separate browser window to visit such sites, and use that browser to view the presented certificate.

posted by Hervé SCHLECHT @ 6:07 PM

CISCO - ASA FailOver Active/Standby

Configuring Failover

Remarks

a) The two units in a failover configuration must have the same hardware configuration. They must be the same model, have the same number and type of interfaces, the same amount of Flash memory, and the same amount of RAM.

b) The two units in a failover configuration must be in the same operating mode, they have the same major (first number) and minor (second number) software version.

c) The two unit in a failover pair constantly communicate over the failover link to determine the operating status of each unit. You can use any unused Ethernet interface on the device as the failover link. You cannot specify an interface that is currently configured with a name. The failover link interface is not configured as a normal networking interface. The interface should only be used for the failover link (and optionally for the Stateful Failover link).

d) The unit that become active assumes the IP addresses and the MAC address of the failed unit and begins passing traffic. The unit that is now in standby state takes over the standby IP and MAC address. Because network device see no change in the MAC to IP address pairing, no ARP entries or time out anywhere on the network. This change are not the case on the failover link.


Configuration synchronization

Configuration synchronization occurs when one or both units in a failover pair boot. The configurations are synchronized as follows :

- When unit boots while the peer unit is active, the booting unit contacts the active unit to obtain the running configuration regardless of the primary or secondary designation of the booting unit
- When both units boot simultaneously, the secondary unit obtains the running configuration from the primary unit.

On the unit receiving the configuration, the configuration exist only in the running memory. To save the configuration to flash after synchronization enter the write memory all on the active unit.


Global configuration process


A ) Configure the primary unit


Step 1 - Configure the IP address on each interface (the active and standby IP address). This step are not needed on the failover interface.

ip address active_addr netmask standby standby_addr


Step 2 - Designate the unit as the primary unit

failover lan unit primary


Step 3 – Define the failover interface

failover lan interface if_name phys_if

if_name assign a name the the interface specified by phys_if. The phys_if can be the physical port name (ex ethernet0), or a previously defined subinterface ( ex ethernet 0/1.1)


Step 4 – Assign the active and standby address to the failover link

failover interface ip if_name ip_addr netmask standby ip_addr


Step 5 – Optional – Enable the Stateful Failover

failover link if_name phys_if


Step 6 – Enable the Failover interface

interface phys_if
no shutdown


Step 6 – Enable Failover

failover


Note 1 : If the Stateful Failover link use the failover link, then you only need to supply the if_name argument.
Note 2 : The standby ip address must be in the same subnet as the active IP address.


B) Configure the secondary unit

Step 1 – Define the interface used as the failover interface

failover lan interface if_name phys_if


Step 2 – Assign the active and standby address to the failover link

failover interface ip if_name ip_addr netmask standby ip_addr

Enter the command exactly in the way you entered it on the primary unit


Step 3 – Enable the interface

interface phys_if
no shutdown


Step 4 – Optional - Designate the unit as the secondary unit

failover lan unit secondary


Step 5 – Enable Failover

failover



Disabling / Enabling Interface Monitoring

By default, monitoring physical interface is enabled and monitoring subinterfaces is disabled. You can control which interfaces affect your failover policy by disabling the monitoring of specific interfaces and enabling the monitoring of others.

- to disable the health monitoring for interface – no monitor-interface if_name
- to enable the health monitoring for interface –monitor-interface if_name



Main commands and options

Configuring Failover communication Authentication / Encryption

You can encrypt and authenticate the communication between failover peers by specifying a shared secret or hexadecimal key.

failover key {secret hex key}


Verifying the failover configuration and state

For verifying the failover configuration you can use the following command :

show failover



show monitor-interface -> Show the status of the monitored interfaces
show running-config failover -> Show the failover commands in the running configuration
write standby -> Resynchronize configurations that become out of sync.
preempt -> Cause the unit to automatically become active when the unit become available.
no failover active -> force a failover to the standby unit. Executed from the active unit, the active unit become standby
failover active -> restore the unit to active status. Executed from the standby unit, the standby unit become active
no failover -> Disable the failover. The state of each unit doesn’t change until you restart
failover reset -> To restore a failed unit to an unfailed state


The failover process generate syslog messages 411001 and 411002

posted by Hervé SCHLECHT @ 6:00 PM